Service Provider’s Probe Counts More Victims of MOVEit Hacks

The count of organizations and individuals affected by ransomware-as-a-service group Clop’s attack on MOVEit file-transfer users keeps accruing new victims.

See Also: Live Webinar | Unmasking Pegasus: Understand the Threat & Strengthen Your Digital Defense

The Teachers Insurance and Annuity Association of America now reports that information on 2.6 million members was exposed as a result of the attack on a service provider’s MOVEit server.

Impacted data includes Social Security numbers, dates of birth and addresses, TIAA said in a data breach notification letter.

Hundreds of organizations, including TIAA, lost control of personally identifiable information as a result of Clop’s attack campaign in late May. The criminal group doesn’t appear to have exploited the flaw to gain wider access to victims’ networks. Rather, the Russian-speaking criminal group has threatened to post victims’ names and leak stolen data unless they pay a ransom.

As of Monday, German cybersecurity research firm KonBriefing reported that more than 420 organizations are now known to have been affected by the MOVEit campaign, either because their file-transfer server got hacked, or because one or more of their MOVEit-using service providers fell victim.

The vast majority of affected organizations are based in the United States, where the FBI and Cybersecurity and Infrastructure Security Agency continue to probe the attacks and assist victims.

Only about 70 impacted organizations in total have publicly disclosed how many individuals were affected, according to Brett Callow, a security adviser at Emsisoft.

Clop’s Data-Stealing Campaign

The Clop ransomware syndicate targeted a zero-day vulnerability in MOVEit, built by Massachusetts-based Progress Software, to steal data from numerous organizations around May 29 and May 30. On May 31, publicly traded Progress issued a security alert and released a patch for the flaw.

TIAA does not use MOVEit software. Instead, the breach of its data traces to widely used third-party service provider PBI Research Services, which helps financial services firms comply with regulatory rules requiring them to identify when customers die, to trigger and deliver death benefits.

PBI said it “became aware of the MOVEit compromise on June 2” and “promptly patched its instance of MOVEit, assembled a team of cybersecurity and privacy specialists, notified federal law enforcement and contacted impacted clients.” PBI didn’t immediately respond to a query about whether its breach probe has concluded.

Additional investigations are underway, meaning the total number of victim organizations and affected individuals could continue to increase. KonBriefing reports that 84 U.S. colleges and universities warned current and former students and staff that their information may have been exposed, typically through a service provider.

Buffalo State, part of the State University of New York, warned that personal information may have been exposed as a result of Clop hitting not just TIAA but also the National Student Clearinghouse and Corebridge. “Each organization has contacted SUNY to alert it of the possibility that the personal information of students, employees, and retirees may have been affected,” it said.

Corebridge itself said Clop didn’t breach its systems, but rather the systems of an unnamed third-party provider that it uses “for regulatory compliance and operational support services for our businesses.”

The National Student Clearinghouse said it was directly hit by Clop, quickly patched the MOVEit vulnerability and brought in a third-party cybersecurity firm to probe the breach and help with incident response. Following the attack, the organization said it’s implemented a number of recommendations from the likes of the “FBI, CISA, Mandiant, Microsoft and others” to better lock down is infrastructure.

NSC works with over 3,500 colleges and universities, representing 97% of postsecondary enrollment in the United States. The organization has not yet detailed a total count of organizations and individuals affected by Clop’s attack on its MOVEit server.

The organization said it’s continuing to use MOVEit, although has rebuilt its “entire MOVEit environment so that all of our customers’ data is entering into a newly built, pristine environment that was never accessed” by the attackers. NSC said it’s also “implemented additional monitoring measures” to better spot these types of attack attempts in the future.