MOVEit breach: over 1,000 organizations and 60 million individuals affected

When Russia’s Cl0p gang hacked Progress Software’s MOVEit Transfer app via a zero-day SQL injection vulnerability on May 27, it soon became apparent that the number of organizations and individuals affected would be high.

The first known victim was the payroll services provider Zellis, whose high-profile customers included British Airways, the BBC and Aer Lingus, all of which suffered data breaches as a result.

Other victims soon became known, including:

  • The oil and gas multinational Shell;
  • The University of Georgia;
  • The Boston-based investment fund Putnam;
  • The financial services organizations 1st Source and First National Bankers Bank;
  • Landal Greenparks in the Netherlands;
  • The financial software provider Datasite;
  • The educational non-profit organization National Student Clearinghouse;
  • The student health insurance provider United Healthcare Student Resources;
  • The manufacturer Leggett & Platt;
  • The Government of Nova Scotia;
  • Johns Hopkins University;
  • The professional services multinational Ernst & Young;
  • The Swiss insurance Company ÖKK; and
  • The German mechanical engineering company Heidelberg.

This, however, was only the tip of the iceberg.

Cl0p confirmed that it had stolen data from “hundreds of companies”, and threatened to begin publishing its victims’ information if they did not pay a ransom. The gang was true to its word: on 14 June, it released the first batch of victims’ names on its dark web site and continued to leak information in the weeks that followed.

The largest hack of the year so far

It’s now been confirmed that the breach has affected over 1,000 organizations and 60 million individuals all around the world – although it should be noted that there is likely to be some overlap in terms of individuals affected.

According to analysis by Emsisoft, U.S.-based organizations accounted for 84.7% of known victims, those in Germany 3.4%, those in Canada 2.6%, and those in the UK 1.9%.

Those most impacted are:

  • The U.S. government services contractor Maximus (11 million individuals affected)
  • The French unemployment agency Pôle Emploi (10 million individuals affected)
  • Louisiana Office of Motor Vehicles (6 million individuals affected)
  • Colorado Department of Health Care Policy and Financing (4 million individuals affected)
  • Oregon Department of Transportation (3.5 million individuals affected)

Supply-chain security

It remains difficult to see what Progress Software could have done differently. Zero-day vulnerabilities are by their nature difficult to defend. Progress worked quickly to patch the vulnerability the criminals exploited, as well as identifying other critical vulnerabilities in MOVEit Transfer.

For Progress’s clients, there is undoubtedly little comfort in this, but when it comes to the crunch, organizations must accept that there are security risks associated with information technology and that breaches are to a great extent inevitable – especially when third parties are involved. Indeed, recent research found that over 60% of U.S. businesses have been directly affected by a software supply chain threat in the past year.

Moreover, supply-chain compromises – data breaches that originate in an attack on a business partner – are more severe than direct attacks. According to IBM’s Cost of a Data Breach Report 2023, business partner supply chain compromises cost 11.8% more and take 12.8% longer to identify and contain than other types of breach.

When it comes to software supply chain compromises like the MOVEit Transfer breach, the figures are marginally better, but still concerning: software supply chain compromises cost 8.3% more and 8.9% longer to identify and contain than other breach types.

However, just because risks are inevitable doesn’t mean they can’t be mitigated.

Free webinar: Privacy Integration – Empowering your ISO 27001 ISMS with ISO 27701 and EuroPrivacy Certification

The international standard for information security management, ISO 27001, sets out a risk-based approach to information security that can be used to assure you of the security of your entire supply chain.

If you want to know more about ISO 27001 and how its approach can help secure your organization, you will be interested in our 45-minute webinar, delivered by our Founder and Executive Chairman, Alan Calder, and hosted in association with Perry Johnson Registrars.

Discover how ISO 27701 can significantly enhance your privacy practices, align with international privacy standards, and fortify your overall information security framework.

In addition, learn how EuroPrivacy certification, an EDPB (European Data Protection Board)-approved certification that demonstrates GDPR compliance, can provide US companies offering services into the EU with an invaluable badge of credibility.