The massive MOVEit data breach is thought to have exposed some 62 million records in personal data to date, and over half a million emails from the Departments of Justice and Defense can now be added to that list. However, the agencies say that the contents are from non-classified accounts and are of “low severity” and do not pose a “systemic” threat to national security.
MOVEit data breach damage continues to mount
The MOVEit data breach is thought to have racked up in the high tens of millions of dollars for the Cl0p hacking group thus far, and the damage is not yet complete as organizations struggle to keep up with a series of patches that has extended into early October. The attack was particularly damaging due to the amount of large and well-funded companies that make use of MOVEit, with some 2,100 of the company’s clients thought to have been breached at this point.
Some of those clients are already organizing class actions against MOVEit publisher Progress, predicated on the fact that the data breach stems from vulnerabilities present since at least 2021 (though they were zero-days at the time they were exploited). State governments have been among those hit by Cl0p for millions of records of personal information, including the Louisiana DMV and a huge chunk of California’s system for retired state employees.
While Progress continues to issue patches as fast as it can find vulnerable elements of the software that are open to exploitation, organizations are not necessarily keeping up with them. This means that the MOVEit data breach is not really over yet, and more victims may well be forthcoming.
Ransomware gang drops its ransomware to rack up tens of millions of records
The MOVEit data breach saw Cl0p shift from using ransomware to engaging in simple data extortion, seemingly trying to be as quiet as possible for as long as possible as it exploited the zero-days to collect the information it later exploited victims with.
The news of the federal agency email breaches comes by way of Bloomberg, which had to file a FOIA request to obtain an internal Office of Personnel Management (OPM) report that documents known damage to the federal government. Though the stolen information did not contain classified materials, it is highly likely that it contains elements useful to assorted brute force/credential stuffing login campaigns and phishing attempts. In terms of details on exactly what was stolen, the OPM report only says that the hackers obtained internal surveys and agency tracking codes.
Progress has issued a series of patches for the MOVEit data breach that began early in the summer and have now stretched into early October. Organizations must apply these patches manually or they will remain vulnerable to attacks, something that they may not be aware of until Cl0p threatens to dump their sensitive data to the open internet.