Credit card numbers were leaked along with other sensitive data, as the New Jersey-based bank joins the list of those affected by the MOVEit Transfer attacks.
The notice to affected clients on October 25th stated that the company’s third-party vendor, Fiserv, providing Kearny Bank with financial technology services, was impacted by the zero-day vulnerability exploit.
The vendor was using the file transfer tool MOVEit, which attackers targeted at the end of May. The threat actors accessed Fiserv’s MOVEit Transfer environment and “obtained certain files contained therein, including files that it maintains for Kearny Bank.” The bank claims that all its in-house applications and systems are secure and were not “impacted by the event.”
A zero-day exploit is a cyber attack targeting a vulnerability that’s unknown to either the software’s creators or antivirus vendors. The attacker spots the software vulnerability before any parties interested in mitigating it, quickly creates an exploit, and uses it for an attack.
An investigation into Fiserv and Kearny identified that the attackers got access to sensitive client data, including full names, home addresses, and financial data such as financial account numbers, credit/debit card numbers in combination with security codes, access codes, passwords, or PINs for the accounts.
The Office of the Maine Attorney General states that more than 17,509 clients were affected by the breach. The company has offered affected individuals free credit monitoring, fraud consultation, and identity restoration services for 24 months.
MOVEit hack has affected millions
In total, around 2100 organizations and 62 million people have been confirmed to be impacted by the MOVEit Transfer attacks, and new victims continue to come forward. Four major European banks – Deutsche Bank, ING Bank, Postbank, and Comdirect – reported customer data leaks linked to the MOVEit hack.
Other named victims include American Airlines, TJX off-price department stores, TomTom, Pioneer Electronics, Autozone, Johns Hopkins University and Health System, Warner Bros Discovery, AMC Theatres, Choice Hotels’ Radisson Americas chain, and Crowe accounting advisory firm.
The Russia-linked Cl0p ransomware gang has taken credit for exploiting the MOVEit zero-day bug and has been posting victims' names on their dark web leak site since June.
In October, Progress Software, owners of the MOVEit Transfer software, disclosed other critical vulnerabilities that also pose a risk to its users.
More from Cybernews:
Subscribe to our newsletter