Catching up on news stories today and saw this one regarding a MOVEit Transfer zero-day vulnerability that has exposed 4.75 million records with just three clients.

As reported by Bill Toulas of Bleeping Computer (MOVEIt breach impacts Genworth, CalPERS as data for 3.2 million exposed, available here), PBI Research Services (PBI) has suffered a data breach with three clients disclosing that the data for 4.75 million people was stolen in the recent MOVEit Transfer data-theft attacks.

These attacks started on May 27th, 2023, when the Clop ransomware gang began exploiting a MOVEit Transfer zero-day vulnerability to allegedly steal data from hundreds of companies. A zero-day vulnerability is a vulnerability in a system or device that has been disclosed but is not yet patched. Then it becomes a race to apply a patch or other mitigation before hackers exploit that vulnerability.

On May 31st, Progress released a security advisory warning customers of a “Critical” vulnerability in MOVEit MFT, offering mitigations until patches are installed. According to the security advisory, the patch became available two days later.

Recently, the Clop gang began extorting companies by slowly listing impacted organizations on its data leak site as they attempt to pressure victims to pay a ransom demand.

According to three different disclosures from PBI clients, millions of customers have had their sensitive data exposed in these attacks:

• Genworth Financial, a Virginia-based life insurance services provider, which published a MOVEit Security Event notice on their website affecting “approximately ~2.5-2.7 million individuals who are either customers or insurance agents.”
• Wilton Reassurance, a New York-based insurance provider, which reported that 1,482,490 of its customers had data stolen.
• CalPERS (California Public Employees’ Retirement System), the largest public pension fund in the US, which stated that the “PBI security incident impacts the personal information of approximately 769,000 members.”

This number may increase as other companies make further disclosures.

Genworth indicated that the exposed data includes the following:

• Full name
• Date of birth
• Social security number
• Zip code
• State of residence
• Policy number
• Agent ID (for agents)

Ouch!

This is yet another example of the importance of keeping up with patches and security alerts. Hackers are ready to pounce on companies that don’t respond quickly. It also demonstrates the importance of a sound incident response program. Even the best protected companies can still be hit by a cyberattack – but a quick response can mitigate potential damage to the organization’s reputation. At least these three companies appear to have been prompt in their notifications.

So, what do you think? Were you aware of the MOVEit Transfer zero-day vulnerability? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.