Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response
Data Breach Toll Tied to Clop Group's MOVEit Attack Surges
2,050 Organizations Affected After Data Stolen From Secure File-Sharing SoftwareThe count of organizations affected by the Clop ransomware group's most recent mass targeting of secure file transfer software doubled last week. Experts tracking the data theft campaign now say over 2,000 organizations directly or indirectly fell victim.
See Also: Gartner Guide for Digital Forensics and Incident Response
Clop launched its mass attack campaign around May 27 when it exploited a zero-day vulnerability in MOVEit to steal data being stored on file transfer servers. Progress Software issued a security alert and patch for the flaw on May 31, although most if not all of Clop's data theft appeared to have already concluded.
While not all victims lost sensitive data, hundreds of organizations have begun to notify individuals that hackers stole their personal identifiable information. German consultancy KonBriefing estimated Monday that between 54 million and 59 million individuals' personal details were exposed in the attack.
Security firm Emsisoft on Friday estimated that at least 2,054 organizations have been affected by the MOVEit software attacks. That's a sharp rise from one week ago, when its count of affected organizations stood at about 1,190.
The known victim count surged Thursday, when the National Student Clearinghouse notified the California state attorney general's office that data tied to nearly 900 colleges and universities had been stolen from its MOVEit server.
"How many current and former students were affected remains unclear," said Brett Callow, a threat analyst at Emsisoft, via social media platform X, formerly known as Twitter. National Student Clearinghouse works with more than 3,500 colleges and universities in the U.S. and stores data on 17.1 million current postsecondary students.
Files stolen in the attack included individuals' names, birthdates, contact information, Social Security numbers, student ID numbers and some educational records, such as course enrollment and degrees attained. "The data that was affected by this issue varies by individual," the NSC said. It is offering affected individuals two years of prepaid identity theft monitoring services via Kroll.
A number of other organizations have recently issued or updated their MOVEit data breach notifications. The government-funded Better Outcomes Registry & Network, aka BORN, which is Ontario's prescribed perinatal, newborn and child registry, issued a breach notification stating that 3.4 million individuals have been affected, including 1.4 million women seeking prenatal or pregnancy care, and 1.9 million children, including those born in Ontario between January 2010 and this past May.
"The personal health information that was copied was collected from a large network of mostly Ontario healthcare facilities and providers regarding fertility, pregnancy, newborn and child healthcare," it said.
Sovos Compliance, a third-party service provider that tracks unclaimed property claims tied to financial accounts or payments, said it had notified all affected companies it works with on July 20 about which of their data had been stolen in the attacks. On Friday, the company began to directly notify 181,507 affected individuals that their driver's license numbers or state-issued ID numbers had been stolen, offering them two years of prepaid identity theft monitoring services via Kroll.
Financial Institution Service Corp., based in West Monroe, Louisiana, which provides data processing and support services to financial institutions in Louisiana and surrounding states, has started to notify 753,261 individuals that their payment card data - including security or access code - was stolen in the attacks. FISC is offering victims 12 months of identity theft monitoring via Kroll.
Johnson Financial Group in Racine, Wisconsin, on Friday began to notify 93,093 individuals that their financial account information or payment card data - including security or access code - had been stolen in the attacks. It is offering victims two years of identity theft monitoring via ChexSystems.
Repeat File Transfer Attacks
The MOVEit attacks represent the fourth time Clop has targeted widely used secure file transfer software to steal data and hold it to ransom, and it is likely to keep launching these types of attacks, said Teresa Walsh, chief intelligence officer and managing director for EMEA at FS-ISAC, the financial services industry's information sharing and analysis center (see: Lessons to Learn From Clop's MOVEit Supply Chain Attacks).
"They have targeted these types of systems before, and they will target them again because it's successful for them," she said. "Why wouldn't they try their successful formula over and over again?"
Clop may have earned $75 million to $100 million via a few very large ransom payments from bigger victims in the early days of its campaign, ransomware incident response firm Coveware reported. Organizations may have paid a ransom for a guarantee from Clop that they would not be named on its leak site.
In June, Clop began posting to its data leak site the names of victims who had declined to pay a ransom, although it claimed to have deleted outright any data it stole from government organizations. Subsequently, it began leaking stolen data.
"If you put data on internet where data is not protect do not blame us for penetration testing service," the group claimed in a grammatically challenged message posted to its data leak site. "We are only financial motivated and do not care anything about politics."
At times, the extortionists struggled to effectively leak the massive volume of data they had stolen. For some victim organizations, such as Aon, EY, Kirkland and TD Ameritrade, Clop created stand-alone websites to host large sets of stolen data, although these sites remained online for very little time, likely due to internet service providers receiving legal takedown notices.
Given Clop's proclivity for attacking secure file transfer software via zero-day vulnerabilities, FS-ISAC's Walsh told Information Security Media Group that all organizations using such software should review best practices for locking it down - including via encryption and access controls - and should practice data minimization by quickly removing transferred data from such servers.
Organizations that already followed these types of "good cyber hygiene practices" with their MOVEit software will have seen far less - if any - sensitive data be stolen by Clop, she said.
Sept. 25, 2023 15:05 UTC: This story has been updated with details of the BORN Ontario breach.