23 Million Individuals’ Personal Details Exposed, Notifications Collectively Show
More details about victims of the Clop crime group’s zero-day attacks on users of the widely used MOVEit file transfer software continue to come to light.
Recently reported victims of the attacks, it said, include healthcare risk adjustment firm Cognisight, Pacific Premier Bank, Northwestern Mutual, Transactions Applications Group, Sutter Senior Care, the Brighthouse and TransAmerica life insurance companies, and the U.S. colleges of Collin, Foothill and Lake Forest.
Other recently reported victims include aerospace firm Honeywell, Sun Life Assurance, University of Texas Southwestern Medical Center and Bristol Myers Squibb, according to law firm JD Supra.
Many victim organizations have begun sending letters to individuals whose information was exposed as a result of the MOVEit hacks. These include life insurance companies Jackson National and Talcott Resolution, both of which said their customer data breaches trace to service provider PBI Research Services. Jackson National last month estimated that up to 800,000 individuals’ personal details might have been exposed. Talcott Resolution says it is notifying 553,000 individuals.
Indiana-based 1st Source Bank, in an 8-K form filed Monday to the SEC, said it has begun notifying about 450,000 customers. The bank said attackers accessed “sensitive data of commercial and individual clients, including personally identifiable information of individuals.”
Harris Health, an integrated healthcare system in Houston, told authorities in Texas it has begun notifying 229,195 state residents – how many more might be affected nationwide isn’t clear – that their information was stolen in a MOVEit attack. Harris Health said in its data breach notification that stolen information may have included a patient’s name, address, birthdate, government-issued identification number, details of medical procedures and Social Security number.
“The incident did not impact Harris Health’s electronic medical records and to date, Harris Health believes that it did not include patients’ bank or other financial account information,” it said.
At Least 23 Million Individuals Affected
Security firm Emsisoft reported that, based on figures released by affected organizations, at least 23 million individuals’ personal details have been stolen by attackers and have been held to ransom. The firm said that only about one-fifth of victim organizations have issued a public count of the total number of individuals whose personal details were exposed, meaning many more individuals are likely affected.
The Russian-language Clop group appears to have unleashed its highly automated mass attack around May 29, likely timed to take advantage of the U.S. Memorial Day holiday weekend. The group came into possession of a zero-day vulnerability in Progress Software’s MOVEit, which it used to steal data from an as-yet-unknown number of organizations.
Progress issued a security alert and patch for MOVEit on May 31 that blocked further attacks. Whether or not Clop continued its attacks after that remains unclear.
Multiple organizations that use MOVEit have said they confirmed the attack on their MOVEit server on June 2, but they said the attack occurred between May 28 and May 30.
Clop has been attempting to extort nongovernmental organizations whose information it stole, and it is listing some nonpaying victims on its data leak site. Ransomware-tracking experts say the group’s repeat targeting of zero-day flaws in widely used software – MOVEit is the fourth such attack – appears highly profitable and requires less work than attempting to individually infect a multitude of organizations with crypto-locking malware.
“It is likely that the Clop group may earn $75 million to $100 million just from the MOVEit campaign, with that sum coming from just a small handful of victims that succumbed to very high ransom payments,” ransomware response firm Coveware reported (see: As Ransomware Monetization Hits Record Low, Groups Innovate).
Service Providers Magnify Impact
Some organizations fell victim because Clop directly hacked their MOVEit server and stole data. Others fell victim because one or more of their service providers’ MOVEit servers were hit.
Hacked service providers include PBI Research Services, which is widely used in the financial services industry. One of its customers is the Teachers Insurance and Annuity Association of America, which recently reportedly that information on 2.6 million of its members that was being held by PBI was stolen.
Clop also hit National Student Clearinghouse, which works with more than 3,500 colleges and universities in the U.S. and which has data on 17.1 million current postsecondary students as well as students from previous years. How much of that information was stolen isn’t yet clear; NSC says its MOVEit breach probe remains ongoing.