The largest hack of the year is the mass-exploitation of MOVEit Transfer software. According to Emsisoft, the MOVEit breach has affected more than 1,000 people. The full impact of the attack will likely not be known for months.
This makes the MOVEit hack the largest of 2023 and recent history.
Progress disclosed a zero-day vulnerability in MOVEit Transfer, its managed file transfer service used by thousands of organizations worldwide to move large amounts of sensitive data over the internet, in May. The critical vulnerability allowed the Clop ransomware and extortion gang to raid MOVEit Transfer servers and steal customers’ sensitive data.
Clop’s attacks and threats to publish stolen data if it doesn’t get paid have continued, as have the number of victim organizations, impacted individuals, and fallout costs.
The MOVEit mass hack is analyzed numerically.
The number of victim organizations reached 1,000 on August 25, and the number of affected individuals reached 60 million.
Emsisoft compiled this figure from state breach notifications, SEC regulatory filings, and other public disclosures. Emsisoft notes that while there will be some overlap in affected individuals, the number will likely increase as more organizations confirm MOVEit-related data breaches.
Emisoft researchers found that 83.9% of MOVEit corporate victims are U.S.-based. German companies account for 3.6% of victims, followed by Canadian and UK firms at 2.6% and 2.1%, respectively.
Maximus, a U.S. government services contractor, became the largest victim of the MOVEit breach in July after hackers accessed 11 million people’s protected health information, including Social Security numbers. The Virginia firm said it had not yet determined the number of affected individuals.
The breach of Pôle emploi, the French unemployment agency, which compromised up to 10 million people’s personal data, closely follows this incident. This makes the French agency the second-largest mass-hack victim.
Louisiana Office of Motor Vehicles (6 million) completes the top five MOVEit victims. Colorado Department of Health Care Policy and Financing (4 million) and Oregon Department of Transportation (3.5 million).
Security analysis firm Censys found that one-third of hosts running vulnerable MOVEit servers at the time of the mass-hacks were financial service companies.
The report examined 1,400 openly accessible MOVEit servers and found that 15.96% were linked to healthcare, 8.92% to IT, and 7.5% to government and military.
The estimated total cost of MOVEit mass-hacks so far. IBM data shows that the average data breach last year cost $165 and affected a number of people.
Emsisoft noted that only a few corporate victims have reported the number of affected individuals. Emsisoft estimated that scaling the number would cost at least $65 billion.
Research suggests Clop may have held its MOVEit exploit since 2021. The vulnerability was discovered in late May, but U.S. risk consulting firm Kroll found activity indicating that Clop had been experimenting with exploiting it for almost two years.
“It appears that the Clop threat actors had the MOVEit Transfer exploit completed at the time of the GoAnywhere event and chose to execute the attacks sequentially,” Kroll says.
The U.S. State Department offered a $10 million bounty for Clop ransomware information after the MOVEit breach compromised records from several department entities.
The Department of Energy told two of its entities were breached.
According to ransomware recovery company Coveware, Clop could earn this much from the MOVEit mass-hacking campaign if only a few victims paid large ransoms.
“This is a dangerous and staggering sum of money for a small group. This amount exceeds Canada’s annual offensive security budget, said Coveware.
Clop claims to have this much government, city, and police data. On its dark web leak site, the gang said it would “do the polite thing” and delete all government data. Clop has not provided proof or verified its claim. “We are only financial [sic] motivated,” hackers wrote.