Breach Notification , Security Operations

Data Theft Via MOVEit: 4.5 Million More Individuals Affected

Latest Tally of Clop Campaign Victims: 670 Organizations, 46 Million Individuals
Data Theft Via MOVEit: 4.5 Million More Individuals Affected
"Pikes Peak or Bust" (Image: Shutterstock)

The victim count of Clop cybercrime group's MOVEit hack is creeping ever upward, and 670 organizations are now known to have been caught up in the mass theft of data from the file transfer application.

Based on breach notifications, at least 46 million individuals' personal details have been stolen as a result of the attacks, reports cybersecurity firm Emsisoft. U.S.-based firms account for 78% of the victims, followed by Germany with 5%, Canada with 4% and the U.K. with 3%, it said. The count of affected organizations comes from German cybersecurity firm KonBriefing.

Among the latest organizations to release a MOVEit hack-instigated breach notification is Colorado's Department of Health Care Policy & Financing, which is notifying 4.1 million individuals that their personal information has been stolen.

The healthcare agency oversees the state's Medicaid program, called Health First Colorado, as well as the Child Health Plan Plus, aka CHP+, and other healthcare programs for Coloradans who qualify.

Exposed information may have included a victim's full name, Social Security number, Medicaid or Medicare ID, birthdate, home address and income information, as well as clinical and medical information.

HCPF said the data had been stolen from service provider IBM, which uses the MOVEit application to move data files. The agency is offering victims two years of prepaid identity theft monitoring services.

The Colorado agency is one of hundreds of organizations now known to have been directly or indirectly affected by Russian-speaking Clop's data-stealing campaign. Other organizations that fell victim include Shell, UCLA, Siemens Energy, consultancies EY and PwC, the U.S. government departments of Energy and Agriculture and the Office of Personnel Management, motor vehicle agencies in Louisiana and Oregon, and British payroll provider Zelle, among many others.

Clop appears to have unleashed its highly automated attacks, targeting a zero-day vulnerability in MOVEit servers, on May 27.

On May 31, MOVEit's developer, Burlington, Massachusetts-based Progress Software, issued its first security alert about the flaw, designated CVE-2023-34362. Progress urged all customers to immediately take their software offline until they could upgrade it to a patched version that fixed the flaw.

How Clop found the zero-day flaw in MOVEit remains unclear, although this is the fourth campaign in which the group has targeted this type of flaw to steal large amounts of data in a rapid, high-impact campaign.

Clop has since been attempting to extort victims. For nonpaying victims, the group has been posting names and stolen data to its data leak site.

Financial Services Victims

Like Colorado's state healthcare agency, many organizations have been indirect victims due to the fact that their service providers who used MOVEit software had been hacked. They include New York Life Insurance Co., the third-largest life insurance company in the United States, which on Friday disclosed that 25,685 individuals had been affected via the breach of PBI Research Services' MOVEit server.

PBI Research is widely used in the financial services sector, and numerous other organizations have already disclosed that information on their customers was stolen from its MOVEit servers. PBI is providing all victims with 12 months of credit and identity theft monitoring from Kroll.

Also on Friday, Umpqua Bank, based in Tacoma, Washington, said it has begun notifying 429,252 individuals that they were affected by the theft of data from one of its service providers, which uses MOVEit. "This vendor provides technology services to many of the world's leading banks, including Umpqua," the bank's data breach notification says, without naming the vendor. Umpqua is providing two years of identity theft monitoring for victims from ChexSystems.

Florida Healthy Kids Data Stolen

Florida Healthy Kids - a state-sponsored health insurance program - fell victim via an attack on the MOVEit servers of Maximus, the widely used government contractor that administers the program, as DataBreaches.net first reported.

Publicly traded Maximus, which has $1.2 billion in annual revenue, previously reported that Clop had stolen 169 gigabytes of data, pertaining to multiple customers, from its MOVEit server.

In its data breach notification to affected Florida Healthy Kids users, Maximus didn't quantity the number of children or families affected. The company has previously warned regulators it expects to notify "at least" 8 million to 11 million individuals in total, which so far is the single largest collection of victims reported by any organization breached via Clop's MOVEit campaign.

Maximus said it had "detected unusual activity in its MOVEit environment" on May 30 and took its MOVEit server offline on May 31, prior to Progress Software issuing its first security alert.

In a Securities and Exchange Commission filing on July 26, Maximus told investors that its Q3 results "include an approximately $22 million expense for total investigation and remediation costs related to the incident."

Maximus said it is providing two years of credit and identity theft monitoring services to victims.

With more victims continuing to come to light or providing updates, the full number of Clop victims is likely to increase.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.