Though the MOVEit breach is now a year and a half old, it is continuing to make headlines with a new gigantic trove of stolen employee data offered for sale on a hacking forum. Amazon has confirmed that more than half of that data is legitimate, as it belongs to them. It also says that a third party breach is responsible, and one that likely impacted a number of other companies.
Third party breach on property management company allegedly responsible for records theft
The breach seems to be relatively recent, but does involve the MOVEit vulnerability (CVE-2023-34362) that caused so much havoc in the second half of 2023. Patches have been available for a long time now, but the risk of third party breach appears to remain as not everyone has applied them as of yet.
This comes after an extended campaign in which hackers have already racked up thousands of victims and tens of millions of stolen records, and at this point is very hard to explain. But we see once again that a company’s security is only as good as that of trusted members of its supply chain.
The ransomware gang Clop discovered the vulnerability originally, and was behind nearly all of the breaches in 2023. This new threat actor has not established a connection with the group, and it is unclear if they conducted the third party breach on their own or simply have access to previously stolen data that has not been made public before. Clop was known for leaking data on the clear web, which meant that those data leak sites were often very quickly taken down.
Employee data likely limited to basic contact information
With a total of five million records on offer, and over half of those belonging to Amazon, the third party breach is definitely a matter of concern. However, statements from both Amazon and the hacker indicate that the stolen employee data did not contain highly sensitive information like Social Security numbers or banking information.
Amazon says that the stolen employee data is limited to work email addresses, desk phone numbers, and building locations, despite the huge number of records. The hacker confirmed these items but added that it had cost center codes and much more expansive internal information about organizational structures. There is no indication as of yet that Amazon customer accounts or AWS accounts are impacted in any way, and the company has not advised any password changes or additional security measures.
The trouble does not seem to be over, however. The hacker claimed that they have 250 terabytes of stolen information and that the current load of employee data is “only the beginning.” They indicated there may be as many as 1,000 breaches not yet known to the public, though it remains to be seen if this talk is substantiated.
Third party breaches are an increasing focus for hackers as frequently-bitten enterprise companies tighten up their security. While the third party rarely provides a viable path into company servers, it may be sitting on sensitive data or have the level of access to get at it if employee accounts are compromised. Companies have some ability to dictate security requirements to vendors in their contracts, but visibility and reach will always be very limited. Perhaps the best thing that can be done is taking inventory of all data and ensuring it is not sitting in places where it shouldn’t be.