Earlier this week, ransomware operator Clop started listing the victims, compromised in the MOVEit data breach, on its data leak website, the media are reporting. According to a TechCrunch report, among the first victims to be listed on the site include 1st Source and First National Bankers Bank, Putnam Investments, Landal Greenparks, Shell, Datasite, National Student Clearinghouse, United Healthcare Student Resources, Leggett & Platt, ÖKK, University System of Georgia.
These organizations come from a wide variety of industries, including finance, education, energy, IT, healthcare, and more.
It was also reported that GreenShield Canada, a non-profit provider of healthcare and dental benefits, was listed and subsequently deleted from the data leak site. While it’s impossible to determine at this point, it could be that the non-profit agreed on a ransom demand and paid it in order to have its data removed from the site.
While these are the first companies the Clop ransomware gang itself posted on the leak site, these are not the first companies in general, that are confirmed to have been hit by the incident. HR and payroll software supplier Zellis confirmed its systems were compromised early last week, and given that it provides its services to some of the biggest companies in the UK, the data breach tricked down. Hence, the BBC, British Airways, and Aer Lingus, all confirmed having sensitive data stolen from their premises.
Furthermore, the Johns Hopkins University, as well as Ofcom, also confirmed being hit. The Government of Nova Scotia, and the Transport for London (TfL) were also affected, but it’s too early to tell if Clop will release their files or not. In its initial announcement, the threat actor said “If you are a government, city or police service… we erased all your data.”
The BBC also claims Ernst and Young were affected, too.
Analysis: Why does it matter?
Data is the fuel of almost every hacking attempt out there. By utilizing sensitive, personally identifiable data, hackers can engage in all sorts of cyberattacks, from wire fraud to identity theft, from additional ransomware attacks to business email compromise (BEC). Most successful breaches nowadays start with a phishing email, and if the email message can be highly personalized, it adds a dangerous dose of legitimacy to the otherwise easily spotted threat. If Clop indeed ends up publishing sensitive data belonging to employees, customers, and clients, of dozens, if not hundreds, of companies around the world, it might trigger a wave of secondary attacks that won’t subside for years to come.
Furthermore, losing data in such a manner hurts the victim firm in a number of ways. The most obvious one is loss of business – restoring the system takes time and money, and while the victim is busy doing just that, the competition is getting significantly ahead. Also, consumers and other businesses are known to abandon companies that lost their personal data and take their business elsewhere. For some, this loss of trust could be permanent and could result in the businesses closing their doors, entirely.
Finally, there are state and regulation affairs. Most countries around the world have strict data security policies these days, and breaking them can result in fines. Data protection regulations, such as the GDPR in the EU, dictate exactly what businesses must do to ensure the safety of employee, customer, and client data, and how they must behave in case of a cyberattack.
While Clop did use a zero-day vulnerability to access the data with malware, a follow-up investigation will determine if individual companies did all they could to protect their data and if not, the fines could be as high as millions of dollars.
What have others said about the data breach?
In the first days of June, Reuters reported of hackers using a flaw in a popular file transfer tool to steal data. At the time, it was unknown who was behind the attack, or what their motivations were. Among other things, the report stated that the MOVEit managed file transfer tool, built by a company called Progress Software, counted roughly two dozen users: “MOVEit Transfer was used by a relatively “small” number of customers compared to those of the company’s other software products that number more than 20,” Reuters said, citing Progress’ Chief Information Officer, Ian Pitt.
TechCrunch also added that Clop’s modus operandi is similar to that of other ransomware operators out there, and that it was expected of the threat actor to reach out to victims and demand a ransom payment to decrypt or delete the stolen files. However, in this incident, Clop decided not to contact anyone, and instead just leave a blackmail message on its leak site and tell the victims to reach out themselves.
The deadline for the initial communication expired on June 14.
If you want to learn more about secure file transfer solutions, you can start by reading our in-depth guide here. We also have a guide on the best files transfer software right now, as well as a guide on the best ways to share large files. Also, make sure to read up on phishing, with our “What is phishing” article, as well as “Everything you need to know about phishing”.