MOVEit transfer data breaches Deep Dive

Summary of the operational risk loss event

Cl0p, the notorious Russian-speaking cybercrime syndicate and hacking group, was behind the attacks that began on 27 May 2023. The group exploited an SQL injection zero-day vulnerability in the MOVEit software to infect the target server with malware and steal sensitive data from the underlying MOVEit Transfer databases. Cl0p had been testing the vulnerability and resultant access to MOVEit databases since July 2021.

MOVEit was commonly used by firms or third-party vendors involved in the financial services industry, as well as education, government, and healthcare, to transfer large amounts of data. Therefore, the data exfiltrated from the MOVEit databases commonly involved personally identifying information (PII), such as full names, addresses, financial information, and Social Security numbers (SSNs), amongst other information.

MOVEit’s developer, Progress Software, was first informed of suspicious activity in its software environment on 28 May 2023. By 31 May 2023, it had identified a previously unknown flaw in the software, also known as a zero-day vulnerability, that had been exploited by threat actors. It quickly notified customers and patched the flaw. Reviews of the MOVEit code yielded discovery of five more zero-day vulnerabilities that were promptly patched by 6 July 2023.

Referred to as a “hydra-headed breach”, the attacks rippled up and down the complex digital supply chain, impacting several key vendors and compromising the data of multiple institutions. Some institutions were impacted directly, but the majority suffered data breaches via a third or nth-party vendor. The widescale breaches and the high-profile victims meant the MOVEit campaign was said to be “arguably the most successful public extortion campaign […] seen to date”, and that the impacts of the breaches, whilst still unknown, “will eventually be measured in years, not months”.

As of 26 October 2023, 2,559 organisations and 66,369,148 individuals had been confirmed as impacted by the MOVEit data breaches, according to anti-malware company Emsisoft.

The first related class action lawsuit brought by impacted customers was filed against Progress on 15 June 2023. Dozens more have since been filed against impacted customers’ breached banks or insurers. As of late October 2023, none have reached settlement, but regulators and law enforcement agencies have begun both formal and informal inquiries into the incident. In particular, the US Securities and Exchange Commission (SEC) began a formal investigation into Progress on 2 October 2023.

Remediation from the incident is ongoing and many firms were unable to approximate their incurred and expected costs for remedial activities by the end of Q3 2023. Total costs of USD 20 million for Q3 2023 were reported by the firms that did publish this figure.  According to the average cost of customer PII involved in a data breach, current impact estimates mean that the MOVEit incident could have a total cost of up to USD 12.15 billion.

Fill in the form below to get your free copy of the Deep Dive exploring the MOVEit loss event.

ORX News is the industry’s leading source of operational risk loss events. Firms can subscribe for exclusive data and analysis tailored to the banking, insurance, and asset management sectors.

How does it work?

Our team of dedicated researchers can collectively speak over seven major languages. Accessing recent operational and non-financial risk (ONFR) loss events is made effortless through the ORX News website, where they are summarised in English, categorised, searchable, and exportable. ORX News keeps you informed and connected with the latest ONFR developments and you can use the data for modelling, benchmarking and scenarios.