Skip to main content

MOVEit data breach exposed personal data of 64M people; SEC investigating

A MOVEit data breach resulted in “at least” 64 million people having their personal data exposed by the failings of a company they’ve likely never heard of.

The breach affected customer organizations ranging from Sony to the Louisiana Office of Motor Vehicles, and the SEC is now investigating …

MOVEit data breach

Rather ironically, MOVEit offers software to help companies and government agencies transfer files according to “strict cybersecurity compliance standards such as PCI-DSS, HIPAA, GDPR, SOC2 and more” and claims to “provide a secure environment for your most sensitive files.”

But a zero-day vulnerability in its software was exploited by a large-scale ransomware gang, as described in a Malwarebytes report back in August.

The full impact of the breach may still not be fully known, but one report cited by Engadget says that the personal data of at least 64M people has been compromised, through more than 2,500 different organizations.

It is a legal requirement for public companies impacted by data breaches to declare that fact, as their stock price may be impacted, and it may introduce financial risks like lawsuits. The Securities & Exchanges Commission (SEC) beefed up this reporting requirement in July. The new rule gives companies just four days to disclose the breach.

Progress Software has revealed that it is facing 58 class action lawsuits.

SEC now investigating

Today’s report says that the SEC is now investigating the hack.

Progress Software disclosed that it has received a subpoena from the SEC to share information relating to the vulnerability in its file transfer software, MOVEit, which became the subject of a massive exploit beginning last May.

According to the filing, the investigation is presently a “fact-finding inquiry,” and there’s no indication at this time that Progress has “violated federal securities laws.” The company intends to cooperate with the SEC.

Double-extortion tactic by ransomware gangs

One reason for the sheer amount of data exposed is that ransomware gangs this year began employing a double-extortion technique.

Previously, gangs would encrypt data belonging to organizations, denying them access to it. They would then demand a ransom in return for the decryption key.

However, organizations with solid backup regimes would be able to roll back their systems in order to regain access. Ransomware gang CL0P responded by saying that if the organization didn’t pay, it would also make the stolen data public.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications