1.5M people exposed in biggest MOVEit bug breach so far


Wilton Re, a US-based insurer, said that a third-party vendor breach via the MOVEit transfer exploit exposed the details of nearly 1.5 million people.

The insurer joins the growing list of companies affected by the now-patched MOVEit transfer bug that allowed attackers to access and download the data stored there.

According to the information that Wilton Re provided to the Maine Attorney General, the incident took place in the MOVEit transfer tool used by the company’s third-party service provider, PBI Research Services.

The company’s breach notification indicates that the data of nearly 1.5 million people was exposed during the breach. The attackers gained access to Social Security Numbers (SSNs).

Stolen SSNs often end up on underground marketplaces, where cybercriminals can buy the data to use in whichever way they like.

It’s estimated that on its own, an SSN costs up to $4 on the darkweb. However, the price of a collated dataset with additional information on the individual can double the price.

Losing SSNs poses significant risks as impersonators can use stolen data in tandem with names and driver’s license numbers for identity theft.

Why is the MOVEit zero-day important?

Since organizations use the MOVEit service to send and receive files from their clients using secure channels, attackers were able toaccess sensitive data.

The Russia-linked Cl0p ransomware gang has taken credit for exploiting the MOVEit zero-day bug. They claim to have breached hundreds of companies in the process. Experts we’ve spoken to say that around 3,000 deployments of the MOVEit application were active when the flaw was first discovered.

Cl0p has been posting victims’ names on their dark web leak site since June 14th, with Shell Global, Telos, Norton LifeLock, and tens of others uploaded so far. The extent of the exposed data depends on how a certain company uses the file transfer system.

However, Wilton Re and PBI Research Services are so far not listed on Cl0p’s dark web blog, which the gang uses to showcase its victims.

Cl0p operates under the Ransomware-as-a-Service (RaaS) mode, which means it rents the software to affiliates for a pre-agreed cut of the ransom payment.

The gang employs the “double-extortion” technique of stealing and encrypting victim data, refusing to restore access, and publishing exfiltrated data into its data leak site if the ransom is not paid.


More from Cybernews:

Anonymous Sudan: neither anonymous nor Sudanese

Cl0p names PWC, Ernst & Young, and Sony in MOVEit hack

Google pledges $20M to expand free cybersecurity clinics across US

Crypto malware ring targeting Canada busted in Ukraine

Netflix co-founder “excited” about AI

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are markedmarked