Pacific Premier Bank clients exposed in MOVEit attacks


Pacific Premier Bancorp’s third-party vendor data was stolen during the MOVEit Transfer attacks, exposing the bank’s clients.

The vendor confirmed that personal data had been compromised in the incident, which involved the popular file transfer tool MOVEit. An exploit of a now-patched software vulnerability allowed attackers to access and download the data stored there. The bank said it uses the vendor for specific tax and compliance operational support services.

The compromised client data contained Social Security numbers, account numbers, and other personally identifiable information, Pacific Premier said in a regulatory filing. The company did not disclose the scale of the data breach but said it is working with the vendor to notify potentially affected parties and regulatory agencies.

ADVERTISEMENT

Firms, institutions, and government departments using the file-sharing software MOVEit have recently been hit by data breaches. Ransomware gang Cl0p has taken credit for the string of attacks. At the time of writing this article, over 430 organizations have been confirmed to be impacted by the attacks, with over 23 million people having their data exposed.

“There is no indication the vendor incident involved the company’s internal network or IT systems, and there has been no material interruption to the company’s business operations,” the bank said in a filing.

Experts fear that Cl0p’s success will inspire others to follow. Given the average ransom payout is over $250,000, and hundreds of organizations have been impacted so far, if only 10% of those affected paid the ransom then it’s possible that the group has generated several million dollars already.

Meanwhile, the gang’s dark web blog, a place to showcase its latest victims, is updated almost daily with the names of globally famous brands. Shell Global, TomTom, Pioneer Electronics, Shutterfly, ING Bank, Sony, Siemens Energy, and many others have been listed, with many more likely to come.

People in the cyber industry also know Cl0p as TA505, Lace Tempest, Dungeon Spider, and FIN11. Like many other established players, Cl0p typically operates under the Ransomware-as-a-Service (RaaS) mode, which means that it rents the software to affiliates for a pre-agreed cut of the ransom payment.

Exclusive information, vetted by Cybernews, indicates that at least some of Cl0p’s affiliates might be residing in Kramatorsk, a Ukrainian city in the country’s embattled east. US officials are offering a $10 million bounty on the Cl0p gang.

ADVERTISEMENT