Yet another organization has disclosed falling foul of the Cl0p ransomware gang’s MOVEit data breach. The Teachers Insurance and Annuity Association of America (TIAA) admitted on Friday that more than 2.63 million of its customers have been exposed.
The disclosure made to the Attorney General’s Office in Maine — which imposes unusually strict reporting requirements on cyberattacks affecting any of its residents and therefore serves as a useful bellwether — is curious given that only three weeks ago, TIAA played down the impact of the MOVEit breach.
"No information was obtained from TIAA's systems and TIAA systems were not at risk from the MOVEit Transfer vulnerability,” said spokesperson Chad Peterson on July 4th.
While admitting that information shared with financial services provider TIAA by third parties may have been compromised, Peterson added: “We have not observed any related unusual activity from this event involving TIAA accounts.”
Now TIAA appears to have backtracked somewhat on that earlier upbeat statement, putting in a disclosure with Maine authorities declaring that 2,630,717 people, including 17,640 state residents, may have had their names and Social Security numbers stolen by Cl0p.
It could be Cl0p’s biggest MOVEit scalp to date — previously the largest single batch of victims from a target organization was thought to be US-based insurer Wilton Re, which disclosed 1.5 million exposed accounts last month.
The peculiarly named and prolific ransomware gang has claimed responsibility for the far-reaching cyberattack, which has been reported as taking down a slew of high-profile victims, including Shell, the US Department of Energy, and British Airways, since it was exposed in June.
TIAA’s disclosure to Maine says the breach occurred on May 29th and was discovered on June 28th — a week before it was reported by media as playing down the impact that it had had.
The culture of secrecy that pervades victims of ransomware gangs is nothing of a surprise — many organizations prefer to ‘hedge their bets’ and withhold full and frank disclosure until compelled to by authorities for fear of a loss of reputation.
MOVEit Transfer is a managed file transfer software, and the now-patched zero-day bug that compromised its servers allowed the attackers to access and download data stored there.
The flaw is a Structured Query Language (SQL) injection vulnerability, a type of bug that attackers use to insert malicious code, which can then be used to manipulate the behavior of a database.
TIAA is a Fortune 500 company that offers financial services to around five million retired and active professionals in academia, medicine, research, and the government. Founded in 1918, it serves this client base across more than 15,000 institutions and was recently valued at around $1.3 trillion in assets under management.
Your email address will not be published. Required fields are markedmarked