3rd Party Risk Management , Fraud Management & Cybercrime , Governance & Risk Management

Count of Organizations Breached via MOVEit Campaign Hits 400

20 Million Individuals' Details Collectively Stolen, Based on 20% of Victim Reports
Count of Organizations Breached via MOVEit Campaign Hits 400
The South Bend, Indiana, headquarters of 1st Source Bank, which lost customer data due to Clop's MOVEit attacks (Image: Jennifesa/Wikimedia Common)

The count of organizations affected by the Clop ransomware group's attack on MOVEit file-transfer software users continues to grow.

See Also: OnDemand Webinar | Third-Party Risk, ChatGPT & Deepfakes: Defending Against Today's Threats

As of Friday, over 400 organizations have confirmed that Clop obtained their data, according to German cybersecurity research firm KonBriefing.

Some affected organizations were breached when the Russian-language Clop group attacked their MOVEit Transfer software, while others fell victim because Clop hit one or more of their MOVEit-using service providers.

The number of individuals whose personal data was stolen in the attacks now surpasses 20 million, said Brett Callow, a threat analyst at New Zealand-based anti-malware firm Emsisoft. His victim count is based on the fewer than 70 data breach disclosures to date that have quantified the number of affected individuals; 80% of victim organizations have not yet shared such information. Thus the true number of victims is likely much higher.

The majority of the MOVEit breaches appeared to take place on May 30 and May 31, when Clop targeted a zero-day vulnerability, tracked as CVE-2023-34362, in MOVEit. Massachusetts-based Progress Software, which sells MOVEit, patched the flaw on May 31, blocking further attacks.

Progress Software is already the target of at least one proposed class action lawsuit filed by victims. They're accusing Progress of having failed "to properly secure and safeguard" individuals' personal data, leaving them at increased risk of identity theft.

While most known victims to date are U.S.-based, KonBriefing said so far 32 victims are in Germany, 22 in Canada and 18 in the United Kingdom, plus a handful more in over 20 other countries. Clop has been slowly releasing new victim names, typically in batches of 10, to its data leak site, apparently because the victims declined to pay a ransom. How many affected organizations paid the group a ransom in exchange for a promise to not be named remains unclear.

Known Victim List Grows

A number of big-name organizations fell victim to Clop, including American Airlines, British Airways, Shell, the U.S. Department of Energy, numerous pension firms, the Louisiana Department of Motor Vehicles, as well as a long list of universities.

In recent days, more victims have come to light as the organizations issued data breach notifications detailing how many individuals' personal details - typically Social Security numbers - were exposed: Fidelity & Guaranty Life Insurance Co., 873,000 victims; 1st Source Bank in Indiana, 450,000 victims; Franklin Mint Federal Credit Union in Pennsylvania, 141,000 victims; TSG Interactive US Services Limited, which does business as PokerStars, 110,291 victims; Athene Annuity and Life Company in Iowa, 70,412 victims; and Massachusetts Mutual Life Co., aka MassMutual, 242 victims.

Estimates of the total number of organizations affected by the MOVEit campaign remain an open question. In a data breach notification filed with the Maine Attorney General's Office, 1st Source Bank says it "is one of an estimated 2,500 organizations worldwide that may have recently been affected by the MOVEit software vulnerability." The bank provided no source for that estimate.

Service Providers Compound Impact

Complicating any such analysis is the fact that multiple service providers fell victim to Clop's attacks, compounding the impact of its campaign. One victim was third-party service provider PBI Research Services, which helps pension plans and insurers comply with regulatory rules requiring them to identify when customers die, to trigger and deliver death benefits. PBI now says the attack compromised data for at least 1.2 million individuals that it stored on behalf of multiple customers.

Another service provider victim of the MOVEit campaign was Teachers Insurance and Annuity Association, which works with more than 15,000 institutions and serves 5 million active and retired employees. It's continuing to probe the impact of Clop's attack against it. So too is National Student Clearinghouse, which processes data for 17.1 million students currently enrolled in 3,600 colleges and universities, representing 97% percent of current U.S. postsecondary enrollment - "as well as students who were enrolled in previous years," Emsisoft said. How many of them might also be affected?

The expert consensus is that it's far too soon to guess the full extent of the MOVEit data breaches. "The number of known victims will certainly increase in the coming weeks," said Bert Kondruss, managing director at KonBriefing Research.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.asia, you agree to our use of cookies.