20 Million Individuals’ Details Collectively Stolen, Based on 20% of Victim Reports
The count of organizations affected by the Clop ransomware group’s attack on MOVEit file-transfer software users continues to grow.
As of Friday, over 400 organizations have confirmed that Clop obtained their data, according to German cybersecurity research firm KonBriefing.
Some affected organizations were breached when the Russian-language Clop group attacked their MOVEit Transfer software, while others fell victim because Clop hit one or more of their MOVEit-using service providers.
The number of individuals whose personal data was stolen in the attacks now surpasses 20 million, said Brett Callow, a threat analyst at New Zealand-based anti-malware firm Emsisoft. His victim count is based on the fewer than 70 data breach disclosures to date that have quantified the number of affected individuals; 80% of victim organizations have not yet shared such information. Thus the true number of victims is likely much higher.
The majority of the MOVEit breaches appeared to take place on May 30 and May 31, when Clop targeted a zero-day vulnerability, tracked as CVE-2023-34362, in MOVEit. Massachusetts-based Progress Software, which sells MOVEit, patched the flaw on May 31, blocking further attacks.
Progress Software is already the target of at least one proposed class action lawsuit filed by victims. They’re accusing Progress of having failed “to properly secure and safeguard” individuals’ personal data, leaving them at increased risk of identity theft.
While most known victims to date are U.S.-based, KonBriefing said so far 32 victims are in Germany, 22 in Canada and 18 in the United Kingdom, plus a handful more in over 20 other countries. Clop has been slowly releasing new victim names, typically in batches of 10, to its data leak site, apparently because the victims declined to pay a ransom. How many affected organizations paid the group a ransom in exchange for a promise to not be named remains unclear.
Known Victim List Grows
A number of big-name organizations fell victim to Clop, including American Airlines, British Airways, Shell, the U.S. Department of Energy, numerous pension firms, the Louisiana Department of Motor Vehicles, as well as a long list of universities.
In recent days, more victims have come to light as the organizations issued data breach notifications detailing how many individuals’ personal details – typically Social Security numbers – were exposed: Fidelity & Guaranty Life Insurance Co., 873,000 victims; 1st Source Bank in Indiana, 450,000 victims; Franklin Mint Federal Credit Union in Pennsylvania, 141,000 victims; TSG Interactive US Services Limited, which does business as PokerStars, 110,291 victims; Athene Annuity and Life Company in Iowa, 70,412 victims; and Massachusetts Mutual Life Co., aka MassMutual, 242 victims.
Estimates of the total number of organizations affected by the MOVEit campaign remain an open question. In a data breach notification filed with the Maine Attorney General’s Office, 1st Source Bank says it “is one of an estimated 2,500 organizations worldwide that may have recently been affected by the MOVEit software vulnerability.” The bank provided no source for that estimate.
Service Providers Compound Impact
Complicating any such analysis is the fact that multiple service providers fell victim to Clop’s attacks, compounding the impact of its campaign. One victim was third-party service provider PBI Research Services, which helps pension plans and insurers comply with regulatory rules requiring them to identify when customers die, to trigger and deliver death benefits. PBI now says the attack compromised data for at least 1.2 million individuals that it stored on behalf of multiple customers.
Another service provider victim of the MOVEit campaign was Teachers Insurance and Annuity Association, which works with more than 15,000 institutions and serves 5 million active and retired employees. It’s continuing to probe the impact of Clop’s attack against it. So too is National Student Clearinghouse, which processes data for 17.1 million students currently enrolled in 3,600 colleges and universities, representing 97% percent of current U.S. postsecondary enrollment – “as well as students who were enrolled in previous years,” Emsisoft said. How many of them might also be affected?
The expert consensus is that it’s far too soon to guess the full extent of the MOVEit data breaches. “The number of known victims will certainly increase in the coming weeks,” said Bert Kondruss, managing director at KonBriefing Research.