A MOVEit data breach resulted in “at least” 64 million people having their personal data exposed by the failings of a company they’ve likely never heard of.
The breach affected customer organizations ranging from Sony to the Louisiana Office of Motor Vehicles, and the SEC is now investigating …
MOVEit data breach
Rather ironically, MOVEit offers software to help companies and government agencies transfer files according to “strict cybersecurity compliance standards such as PCI-DSS, HIPAA, GDPR, SOC2 and more” and claims to “provide a secure environment for your most sensitive files.”
But a zero-day vulnerability in its software was exploited by a large-scale ransomware gang, as described in a Malwarebytes report back in August.
The full impact of the breach may still not be fully known, but one report cited by Engadget says that the personal data of at least 64M people has been compromised, through more than 2,500 different organizations.
It is a legal requirement for public companies impacted by data breaches to declare that fact, as their stock price may be impacted, and it may introduce financial risks like lawsuits. The Securities & Exchanges Commission (SEC) beefed up this reporting requirement in July. The new rule gives companies just four days to disclose the breach.
Progress Software has revealed that it is facing 58 class action lawsuits.
SEC now investigating
Today’s report says that the SEC is now investigating the hack.
Progress Software disclosed that it has received a subpoena from the SEC to share information relating to the vulnerability in its file transfer software, MOVEit, which became the subject of a massive exploit beginning last May.
According to the filing, the investigation is presently a “fact-finding inquiry,” and there’s no indication at this time that Progress has “violated federal securities laws.” The company intends to cooperate with the SEC.
Double-extortion tactic by ransomware gangs
One reason for the sheer amount of data exposed is that ransomware gangs this year began employing a double-extortion technique.
Previously, gangs would encrypt data belonging to organizations, denying them access to it. They would then demand a ransom in return for the decryption key.
However, organizations with solid backup regimes would be able to roll back their systems in order to regain access. Ransomware gang CL0P responded by saying that if the organization didn’t pay, it would also make the stolen data public.
FTC: We use income earning auto affiliate links. More.
