Deep Dive - Jan 2024
Thousands of firms suffer data breaches via zero-day flaws in MOVEit file transfer software.
On May 31, 2023, an alarming revelation unfolded, dubbed as a "global privacy disaster". It was revealed that threat actors had capitalised on zero-day vulnerabilities within MOVEit, a managed file transfer software. This resulted in the unauthorised extraction of sensitive data belonging to at least 66.4 million individuals from more than 2,500 firms.
Find out more about this major operational risk loss event by downloading the free Deep Dive from ORX News.
The Deep Dive, usually only available to ORX News subscribers, provides vital information about this information security event, including:
- A detailed explanation of the event
- Attack method
- Internal risk factors, including third party risk and digital supply chain risk
- External risk factors, including analysis of the zero-day vulnerabilities
- Remedial measures taken in response to the event
- Financial and non-financial impacts
Download the free Deep Dive for all this information and more.
Introduction to the MOVEit data breach
Listen to Isobel Selwyn, ORX News Researcher, and Helen L’Abbate, Head of Services at ORX, for an overview of this loss event. For more detailed information, download the full Deep Dive.
Summary of the operational risk loss event
Cl0p, the notorious Russian-speaking cybercrime syndicate and hacking group, was behind the attacks that began on 27 May 2023. The group exploited an SQL injection zero-day vulnerability in the MOVEit software to infect the target server with malware and steal sensitive data from the underlying MOVEit Transfer databases. Cl0p had been testing the vulnerability and resultant access to MOVEit databases since July 2021.
MOVEit was commonly used by firms or third-party vendors involved in the financial services industry, as well as education, government, and healthcare, to transfer large amounts of data. Therefore, the data exfiltrated from the MOVEit databases commonly involved personally identifying information (PII), such as full names, addresses, financial information, and Social Security numbers (SSNs), amongst other information.
MOVEit’s developer, Progress Software, was first informed of suspicious activity in its software environment on 28 May 2023. By 31 May 2023, it had identified a previously unknown flaw in the software, also known as a zero-day vulnerability, that had been exploited by threat actors. It quickly notified customers and patched the flaw. Reviews of the MOVEit code yielded discovery of five more zero-day vulnerabilities that were promptly patched by 6 July 2023.
Referred to as a “hydra-headed breach”, the attacks rippled up and down the complex digital supply chain, impacting several key vendors and compromising the data of multiple institutions. Some institutions were impacted directly, but the majority suffered data breaches via a third or nth-party vendor. The widescale breaches and the high-profile victims meant the MOVEit campaign was said to be “arguably the most successful public extortion campaign […] seen to date”, and that the impacts of the breaches, whilst still unknown, “will eventually be measured in years, not months”.
As of 26 October 2023, 2,559 organisations and 66,369,148 individuals had been confirmed as impacted by the MOVEit data breaches, according to anti-malware company Emsisoft.
The first related class action lawsuit brought by impacted customers was filed against Progress on 15 June 2023. Dozens more have since been filed against impacted customers’ breached banks or insurers. As of late October 2023, none have reached settlement, but regulators and law enforcement agencies have begun both formal and informal inquiries into the incident. In particular, the US Securities and Exchange Commission (SEC) began a formal investigation into Progress on 2 October 2023.
Remediation from the incident is ongoing and many firms were unable to approximate their incurred and expected costs for remedial activities by the end of Q3 2023. Total costs of USD 20 million for Q3 2023 were reported by the firms that did publish this figure. According to the average cost of customer PII involved in a data breach, current impact estimates mean that the MOVEit incident could have a total cost of up to USD 12.15 billion.
Fill in the form below to get your free copy of the Deep Dive exploring the MOVEit loss event.
About ORX News
ORX News is the industry’s leading source of operational risk loss events. Firms can subscribe for exclusive data and analysis tailored to the banking, insurance, and asset management sectors.
How does it work?
Our team of dedicated researchers can collectively speak over seven major languages. Accessing recent operational and non-financial risk (ONFR) loss events is made effortless through the ORX News website, where they are summarised in English, categorised, searchable, and exportable. ORX News keeps you informed and connected with the latest ONFR developments and you can use the data for modelling, benchmarking and scenarios.
Disclaimer: ORX has prepared this resource with care and attention. ORX does not accept responsibility for any errors or omissions. ORX does not warrant the accuracy of the advice, statement or recommendations in this resource. ORX shall not be liable for any loss, expense, damage or claim arising from this resource. The content of this resource does not itself constitute a contractual agreement, and ORX accepts no obligation associated with this resource except as expressly agreed in writing. ©ORX 2024
News Manager, ORX
News Senior Researcher, ORX
Head of Services, ORX