Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response

Count of Organizations Affected by MOVEit Attacks Passes 515

36 Million Individuals Affected; Maximus Previews Notifying 8 Million to 11 Million
Count of Organizations Affected by MOVEit Attacks Passes 515
Screen grab from Clop's data leak site

The fallout from Clop group's data-grabbing attacks against users of MOVEit managed file transfer software continues to mount.

See Also: Supporting Malware Analysis at Scale

In recent days, Clop has added 70 more organizations to its data leak site, each of which likely experienced data loss through the Russian-speaking criminal gang's late May data theft spree.

Recently posted victims include U.S. government contractor Maximus, AmeriSave Mortgage Corp., hospitality software vendor Agilysys, the College of American Pathologists, software development firm Informatica, consultancy giant Deloitte, Johns Hopkins Health System and Chuck E. Cheese - the family restaurant chain personified by America's second-most famous rodent.

The Maximus leak of 169 gigabytes may be the largest yet, particularly given the company's admission to federal regulators that "at least" 8 million to 11 million individuals are affected. The Medicaid enrollment broker contractors said leaked information includes health data and Social Security numbers.

As of Thursday, at least 516 organizations appear to have been directly or indirectly affected by Clop's MOVEit attacks, reported German cybersecurity firm KonBriefing.

At least 36 million individuals have been affected, based on the data breach notifications issued by one-fifth of victims that include a count of victims, reported security firm Emsisoft.

Clop exploited a zero-day vulnerability in Progress Software's MOVEit beginning around May 29 and May 30, apparently timed to take advantage of the Memorial Day holiday weekend in the U.S. Progress patched the flaw on May 31, issuing a security alert warning customers to immediately update their software.

How many more organizations were hit or paid a ransom to avoid Clop from naming them publicly remains unclear. Security experts say the ransomware group may have cleared $75 million or more by shaking down a few large MOVEit victims and being willing to count everyone else as collateral damage.

Emsisoft reported that MOVEit victims so far include 109 U.S. schools, 23 public sector organizations in the U.S. and 31 abroad. It said 73% of known victims are U.S.-based and that the financial services, professional services and education sectors account for the greatest number of known incidents.

Clop claims on its data leak site that it has deleted any data it stole that pertains to government entities, implying that it hasn't attempted to extort them.

Maximus Notifying Up to 11 Million

Publicly traded Maximus, a $4.25 billion health and human services provider based in McLean, Virginia, said it expects to spend $15 million responding to its MOVEit hack, including sending out up to 11 million data breach notifications.

Maximus "uses MOVEit for internal and external file sharing purposes, including to share data with government customers pertaining to individuals who participate in various government programs," it said in an 8-K filing Wednesday to the U.S. Securities and Exchange Commission.

The company said it "promptly commenced an investigation" after Progress Software issued its May 31 alert and reported that the third-party digital forensic investigators it hired have now concluded their probe. "Based on the review of impacted files to date, the company believes those files contain personal information, including Social Security numbers, protected health information and/or other personal information, of at least 8 to 11 million individuals," it said. Maximus is offering victims prepaid credit monitoring and identity theft monitoring services.

Service Providers Hit

Many organizations that use MOVEit are service providers, meaning when Clop stole data from their file transfer server, it obtained data for many other organizations.

One such service provider was Pension Benefit Information Research Services, aka PBI, which helps financial services firms meet multiple regulatory obligations, including to identify when policyholders have died and notify beneficiaries. The breach of PBI Research Services has led to a long and growing list of customers issuing data breach notifications.

Four of the latest PBI customers that have issued notifications - warning customers that stolen MOVEit-stored data included their names and Social Security numbers - including a count of how many notifications they issued, are:

  • Teachers Insurance and Annuity Association of America - 2,373,076
  • Corebridge Financial - 798,000
  • Talcott Resolution Life Insurance - 557,741
  • Aurora National Life Assurance Co. - 48,457

Some service provider victims appear to still be probing their intrusions. One such organization is National Student Clearinghouse, which works with more than 3,500 colleges and universities in the U.S. The organization holds data on 17.1 million current postsecondary students as well as student data from previous years. It has not yet detailed how many might be affected by the MOVEit attacks.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.