MOVEit by the numbers: PII tops the list of compromised data

By Ehden Pelaez, Front Page News

Nearly two months after zero-day vulnerabilities in the widely used file-sharing tool MOVEit came to light, cyberattacks exploiting the security flaw have reportedly hit over 400 organizations and as many as 22 million individuals worldwide, marking it as one of the most significant cybersecurity incidents of the year.

Notorious cybercrime gang Cl0p claimed responsibility for the attacks, threatening to release exfiltrated data unless victim organizations paid ransom by June 14.

The list of affected entities continues to rise, with victims across various industries and geographical locations. Organizations and governments alike fell victim to the attacks, including Siemens Energy, British Broadcasting Corporation (BBC), the Government of Nova Scotia, PricewaterhouseCoopers (PwC), Shell, and the Department of Energy’s Oak Ridge Associated Universities. Payroll provider Zellis was affected, which had a knock-on effect on clients like retailer Boots and British Airways.

Data from Zywave’s Loss Insight indicates that organizations in the Finance and Insurance, Public Administration, Educational Services, and Information sectors were most affected by the cyberattack. Zywave’s Loss Insight tool leverages a large-loss database of over 200,000 cyber records with an aggregate value of $86 billion.

MOVEit and the Cl0p ransomware gang

MOVEit is a popular file-sharing tool developed by Ipswitch, Inc., now a part of Progress Software. The software is designed to encrypt files and to complete secure data transfers. Thousands of corporations and institutions in the public and private sectors all over the world use this platform to send and receive information.

In May, Cl0p, a ransomware gang known for demanding multimillion-dollar payments from victims, exploited a zero-day SQL injection vulnerability in the file sharing platform, which allowed unauthorized access to the MOVEit Transfer database, resulting in widespread data theft and extortion incidents.

According to reports, Progress Software learned of the vulnerability through a customer on May 28, and disclosed it to the public on May 31. The firm later disclosed two more critical vulnerabilities affecting the MOVEit platform in June.

The Cl0p ransomware gang’s history of high-profile attacks dates to its emergence in early 2019. These include the 2021 Accellion FTA (File Transfer Appliance) hack, and the Fortra GoAnywhere MFT secure file-sharing solution cyberattack. Security experts at Kroll estimate Cl0p threat actors may have known of the MOVEit vulnerability since 2021 and extensively plotted their attacks.

MOVEit’s ripple effect

The severity of the MOVEit cyber event is still unfolding as more organizations assess and report their exposure. In addition to the direct impact on clients of Progress Software, there has been an indirect impact on organizations throughout the downstream digital supply chain. Firms that have business relationships with third-party providers affected by the event will need to consider potential legal and regulatory obligations.

Some organizations, like the University of Utah, have identified exposure via multiple service providers -- two vendors used by the university, the National Student Clearinghouse and Minnesota-based PBI Research, have both confirmed that their data was compromised in the MOVEit incident.

When data is lost, lawsuits follow

According to data tracked by Zywave’s Loss Insight, Personal Identity Information (PII) was the most compromised data at 34%. Institutions such as Johns Hopkins University, Ofcom, and Zellis have verified that the stolen information from their servers includes names, addresses, and birth dates of their employee/staff or students, among others.

In response to the perceived failure to establish and follow sufficient security protocols, multiple parties have initiated class action lawsuits against Progress Software and breached organizations.

Less than three weeks after Progress Software disclosed the MOVEit vulnerabilities, separate class action lawsuits were filed in Louisiana alleging the vulnerability led to the breach of the state Office of Motor Vehicles, and in Massachusetts for the company’s alleged failure to adhere to Federal Trade Commission (FTC) guidelines for data security, to protect customer data, and to properly monitor its own internal systems.

On June 21, Louisiana resident Christopher Pipes filed a class action complaint against Progress Software Corporation and Ipswitch, Inc. alleging the two firms failed to protect the personal information of millions of individuals during the “major international cyberattack.”

In addition to Progress Software, individuals filed lawsuits against companies affected by the cyberattack.  On June 28, Robert Anastasio, a customer of life insurer Genworth Financial, filed a class action complaint against Progress Software and Pension Benefit Information, LLC. Minnesota-based PBI provides verification services to pension funds, insurance companies, and others, including Genworth. The suit alleges that PBI negligently chose to utilize the MOVEit software to store and transfer PII despite the security vulnerabilities.

The Johns Hopkins University and The Johns Hopkins Health System Corporation face two class action lawsuits, one filed on July 7 and another on July 10 alleging failure to properly secure and safeguard members’ protected health information and PII stored within Johns Hopkins’s information network.

Lessons to be learned

In the wake of MOVEit, affected companies have scrambled to bolster their defenses, secure data, and retain the trust of their stakeholders. Progress Software quickly issued patches to remediate the vulnerabilities. Other affected organizations like PwC, Ernst & Young, and Genworth Financial also reported that they halted use of the software and have launched their own investigation into the cybersecurity incident.

While the MOVEit cyberattack has dealt a devastating blow to many organizations, it also serves as a much-needed wake-up call for companies and institutions to continually assess and update their cybersecurity measures in the face of evolving threats. It also highlights the necessity of quick detection and response to mitigate the damage in the event of a breach, as well as the implementation of patch management procedures to quickly address vulnerabilities. After all, in today's digital era, a strong defense is the best offense against cyber threats.

Infographics by FPN’s Karla Tecson. Editing by Erin Ayers and Leslie Castillo.

To learn more about Zywave’s Loss Insight, visit https://www.zywave.com/insurer/loss-insight/ or email adv_support@zywave.com.

*Zywave’s loss data is curated from a wide variety of public sources. Our collection efforts focus on larger and more significant cases. For this reason, the figures in this article may not be fully representative of all cases of this type.