We’re seeing continued fallout from the MOVEit Transfer zero-day vulnerability that I reported on last month, with a lot more organizations affected.

As I reported last month, cyberattacks started on May 27th, when the Clop ransomware gang began exploiting a zero-day vulnerability of the file transfer software MOVEit from Progress Software, LLC to allegedly steal data from hundreds of companies. On May 31st, Progress released a security advisory warning customers of a “Critical” vulnerability in MOVEit MFT, offering mitigations until patches are installed. According to the security advisory, the patch became available two days later.

Sadly, that was too late for PBI Research Services (PBI), which suffered a data breach with three clients disclosing that the data for 4.75 million people was stolen in the recent MOVEit Transfer data-theft attacks.

Remember when I said “This number may increase as other companies make further disclosures”? I did a search for the month of July and I found no less than 19 companies reporting a cyberattack which involved MOVEit Transfer, which exposed at least another 4,706,776 records. I say “at least” because 11 of the 19 companies didn’t specify a record count involved in the cyberattack (at least in the report I have).

Here are the 19 reported MOVEit Transfer related cyberattacks (with reported affected record counts if known):

• Teachers Insurance and Annuity Association of America (2,630,717)
• Milliman Solutions, LLC (1,280,823)
• Centers for Medicare and Medicaid (645,000)
• Hillsborough County, Florida (70,636)
• City National Bank of Florida (36,306)
• Sovos Compliance LLC (18,000+)
• Rockland Trust Bank (14,806)
• bioMérieux (10,244)
• Sunflower Bank
• PlainsCapital Bank
• University of Utah
• Vitality Group
• UCLA
• Radisson Hotels
• Middlebury College
• Athene Annuity and Life Company
• Fidelity & Guaranty Life Insurance Company
• Quorum Federal Credit Union
• New York City Department of Education

As you can see, the continued fallout from the MOVEit Transfer zero-day vulnerability has affected a wide range of organizations from financial institutions and other corporations to colleges and government entities. Many of these are via third-party providers like PBI.

Many of these companies may have been affected before notification of the vulnerability was provided by Progress (which reportedly occurred four days after cyberattacks began). Regardless, the continued fallout from the MOVEit Transfer zero-day vulnerability reinforces the importance of keeping up with patches and security alerts (and making sure that your third-party providers do so as well). All it takes is one weak link to leave you vulnerable.

So, what do you think? Were you aware of the MOVEit Transfer zero-day vulnerability? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.