Mar 8, 2024

Breaking Down the Current State of the MOVEit Data Breach

Breaking Down the Current State of the MOVEit Data Breach - data breach

MOVEit is a file transfer platform made by Progress Software Corporation, an American public company that offers software for creating and deploying business applications. The MOVEit platform is used by thousands of governments, financial institutions, and other public and private sector bodies worldwide to send and receive large amounts of often sensitive data, including pension information, social security numbers, medical records, billing data, and more. In May 2023, data started to be transferred from hundreds of MOVEit deployments. However, these were not routine file transfers initiated by legitimate software users. According to the official report, MOVEit had been hacked, and the data was being stolen by a ransomware operation known as Cl0p.


Who Is Cl0p?

According to the Cybersecurity and Infrastructure Security Agency (CISA), CLOP or CL0P, Ransomware, is behind the recent MOVEit data breaches. CLOP is a member of the Cryptomix ransomware family and is a dangerous file-encrypting malware that intentionally exploits vulnerable systems and encrypts saved files with the ".Clop" extension. CL0P has claimed responsibility for the hacks and has listed its alleged victims since June 14th. According to an investigation conducted by the Federal Bureau of Investigation (FBI), in the MOVEit breach, Cl0p has been able to access addresses, authorization information, claim information, dates of birth, names, social security numbers, and more. 

Researchers monitoring Cl0p and the breach believe they may have been sitting on the MOVEit breach as far back as 2021. According to Kroll, a financial and risk advisory firm based in NYC, it believes Cl0p had been experimenting with exploiting this vulnerability for almost two years. In a published report, Kroll states it believes the Clop threat actors had the MOVEit Transfer exploit completed at the time of the GoAnywhere event (another data breach conducted by Cl0p prior to the MOVEit breach) where it states Cl0p "proactively chose to execute the attacks sequentially instead of in parallel."


60,144,069 Million Estimated To Be Affected

As of August 25th, Emsisoft, a New Zealand-based anti-virus software distribution company, published Cl0p crossed not only the milestone of affecting over 1,000 victim organizations but also the number of impacted individuals, as they have estimated the ransomware group surpassed the 60 million mark. Emsisoft sourced its findings from state breach notifications, SEC regulatory filings, and other public disclosures. The anti-virus software also noted that the numbers are only likely to increase as more and more organizations continue to confirm MOVEit-related data breaches. 

Originally, it was believed that CL0p was primarily targeting the International Network of Health Promoting Hospitals and Health Services groups worldwide. However, the exposure has surpassed health services groups, affecting companies like American Airlines, BBC, British Airways, Discovery, Emsisoft, Kondruss, Ernst & Young, Estee Lauder, First National Bankers Bank, IBM, ING Bank, Shell company, Shutterfly, SONY, Warner Bros, and many more. The breach has also made its way into academia, where multiple financial and insurance institutions have confirmed their systems were accessed, including, but not limited to: 

  • Geico
  • Fidelity Life Assoc.
  • Humana
  • Progressive Casualty Insurance
  • TransAmerica Life Insurance Co.
  • Wilton Reassurance Company
  • Bank of America
  • Corebridge Financial
  • Genworth Financial
  • calPERS
  • Prudential
  • Charles Schwab
  • TD Ameritrade
  • Community Trust Bank, Inc.

According to Emsisoft's researchers, when looking at the entities affected, U.S.-based organizations account for 83.9% of known MOVEit corporate victims. In comparison, organizations in Germany account for about 3.6% of total victims, followed by Canadian companies at 2.6% and firms in the United Kingdom at 2.1%. As it currently stands, Maximus, an American government services company that works to provide services to manage and administer government-sponsored programs, holds the place as the largest victim of the MOVEit breach, with an estimated 11 million individuals affected. 

Following with roughly 10 million people is Pôle emploi, a French governmental agency that provides programs for the unemployed. Next on the list includes the Louisiana Office of Motor Vehicles at 6 million, Alogent with 4.5 million, and the Colorado Department of Health Care Policy and Financing with 4 million affected. For a comprehensive list of the top companies affected by the Cl0p MOVEit data breach, you can read more here


Cl0p Estimated To Earn $100,000,000 Due to the Breach

According to ransomware recovery company Coveware, Cl0p could earn $75-100 million dollars from the MOVEit campaign from a small group of victims who gave in to the hackers' demands and paid significant ransom payments. In an attempt to combat the cyber hacking group, the U.S. State Department is offering a $10 million bounty related to information on the Russia-linked Cl0p ransomware gang after records from a number of department's entities, including the Department of Energy's Oak Ridge Associated Universities and a Waste Isolation Pilot Plant located in New Mexico, were compromised in the MOVEit breach.

While the CISA has confirmed that "several" U.S. government agencies have experienced intrusions, Cl0p claims it currently does not have any amount of government data. In a post on its website, Cl0p claimed it is only "financially motivated" and would "do the polite thing" and delete all government-related data. However, Cl0p has yet to provide evidence for this claim.


What Comes Next in the MOVEit Breach?

The MOVEit incident highlights the challenges organizations face when securing their data. However, it also highlights the security concerns when partnering with other companies. As more attacks leverage zero-day vulnerabilities, like the MOVEit breach, companies will struggle to find solutions to ever-evolving cyber attacks. As mentioned, the breach will continue to impact companies, and the price of ransoms, if paid, will not be the only cost. Companies affected by the breach can also expect to foot the bill for credit monitoring services for those individuals affected, as well as face multiple lawsuits. For the millions of individuals affected worldwide, until a solution from these companies can be provided, they are highly encouraged to contact an attorney. 

Victims affected by the MOVEit data breach can contact a Morgan & Morgan attorney by completing our free, no-obligation case evaluation form today.