Incident & Breach Response , Security Operations

Known MOVEit Attack Victim Count Reaches 545 Organizations

Allegheny County Advises 1 Million Victims: Don't Trust Promises to Delete Data
Known MOVEit Attack Victim Count Reaches 545 Organizations
Image: Shutterstock

The number of organizations and individuals affected by the Clop ransomware group's data-stealing attack on MOVEit servers continues to rise.

See Also: 13 Essential Criteria to Consider For Cyber Resilience in IR & SoC Teams

As of Monday, at least 545 organizations appear to have been directly or indirectly affected by Clop's MOVEit attacks, reported German cybersecurity firm KonBriefing.

That's based on victims issuing data breach notifications as well as Clop's own data leak site, which it uses to pressure victims into paying to avoid seeing their name get listed or paying to get their name removed.

Known victims include American Airlines, consultancies EY and PwC, gas and oil giant Shell, PBI Research Services, TIAA, and the U.S. government departments of Energy and Agriculture, as well as the Office of Personnel Management, British communications regulator Ofcom, the government of Canadian province Nova Scotia, the Teachers Insurance and Annuity Association of America, and Louisiana and Oregon's registries of motor vehicles, among many others.

In recent days, Clop has named or begun to leak information for 50 more organizations via its data leak site. Each of the organizations likely experienced data loss through the Russian-speaking criminal gang's data theft spree. Beginning around May 28, the group targeted a zero-day vulnerability in MOVEit file transfer software, allowing it to steal data from hundreds of organizations. Progress Software, which makes the software, issued a security alert and patch for the vulnerability on May 31.

As a result of its attacks, Clop stole data that included personal details for at least 38 million individuals, based on the data breach notifications issued by one-fifth of victims that include a count of victims, reported security firm Emsisoft. It said the most-affected industries appear to be education, accounting for 24% of all known incidents, followed by finance and professional services, at 22%. Emsisoft also said U.S. organizations comprise 74% of known victims.

Allegheny County Discloses Breach

One victim that has recently come to light is Western Pennsylvania's Allegheny County, which reports that Clop stole information pertaining to 967,690 individuals.

The county said in a data breach notification that its MOVEit server had been accessed by Clop on May 28 or May 29 and that it became aware of the attack on June 1, at which point its IT team patched the MOVEit software and officials brought in cybersecurity experts to probe the breach.

Stolen information pertains to people who live or work in the county and includes each victim's Social Security number, birthdate and driver's license or state identification number. In some cases, hackers also saw individuals' medical information, including diagnoses, treatment information and billing claims.

Clop claimed on its data leak site that if it had stolen information from a government organization or entity, it had deleted the data and wouldn't attempt to extort the victim. Allegheny County said that Clop has claimed "that it has deleted data specifically belonging to Allegheny County." Even so, officials are "still encouraging individuals to take precautionary steps to protect their personal information."

The county said it is sending notifications to affected individuals if it has their contact details, and it is offering 24 months of identity theft monitoring services to any victim whose Social Security number was stolen. Anyone can contact a call center the county has set up, to see if their personal information was comprised in the attack.

More Victims Come to Light

Other organizations that recently issued data breach notifications include the University of Rochester, which reported that Clop stole data pertaining to 88,025 individuals directly from its MOVEit server.

Last week, government contractor Maximus told government regulators Clop had stolen 169 gigabytes of data and that it expected to notify "at least" 8 million to 11 million individuals that their personal information was contained in the 169 gigabytes of data attackers stole.

Some victim organizations work with one or more hacked service providers. TIAA Kaspick, for example, recently reported that information on 27,946 individuals had been stolen from its service provider, Pension Benefit Information Research Services. PBI Research is widely used in the financial services sector. Many other organizations have reported that information pertaining to their customers or policyholders being stored by the service provider was stolen by Clop.

The full extent of Clop's attacks remains unclear. On its data leak site, Clop recently leaked information stolen from the University System of Georgia and the University of Georgia, technology and engineering giant Emerson Electric Co., multinational conglomerate Honeywell, UMass Chan Medical School, and Choice Hotels' Radisson hotels in the U.S., among many others. On Monday, Clop published torrents that it said contained data it had stolen from EY, PwC and 1st Source Bank in Indiana, which earlier this month said it had notified 450,000 individuals that their personal information was stolen.

At least some affected organizations appear to still be probing their intrusions. They include National Student Clearinghouse, which works with more than 3,500 colleges and universities in the U.S. and holds data on 17.1 million current postsecondary students as well as student data from previous years.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.