At a glance.
- MOVEit bug impacts state governments.
- Johns Hopkins suffers data breach.
- Choosing the right cyber insurance.
MOVEit bug impacts state governments.
Last month Progress Software disclosed the discovery of an SQL injection bug in MOVEit, a popular managed file transfer product. Since then, a growing list of organizations have announced they’ve suffered data breaches as a result of the bug, and TechTarget reports that the governments of the US states of Illinois, Minnesota, and Missouri are the latest victims to be added to that list. In a press release Friday, the Minnesota Department of Education (MDE) said it had been notified by a third party vendor that it had suffered a data breach "as part of a global cyber-security attack targeting the MOVEit software." On the same day, the Illinois Department of Innovation and Technology (DoIT) disclosed it had experienced a breach that impacted "a large number of individuals.” Then on Tuesday Missouri’s Office of Administration, Information Services and Technology Division announced it had also been hit with a cyberattack connected to MOVEit, though it’s unclear whether any data were breached. These victims join the ranks of the government of Nova Scotia, Canada; HR software provider Zellis; the BBC; and British Airways. Microsoft researchers have attributed the attacks to the Cl0p ransomware gang. Cl0p claims it has hacked hundreds of organizations through the MOVEiT bug, and the gang threatened to list the targets’ names on its leak site if they failed to contact the threat group by June 14. While Cl0p says it plans to delete any data associated with public sector organizations like government agencies, city services, and police departments, Emsisoft threat analyst Brett Callow says there’s no reason to trust the cybercriminals. "While Clop may not attempt to extort money from those bodies, they may well sell the data, trade it, or use it for phishing," Callow said. "Why wouldn't they?”
Johns Hopkins suffers data breach.
Speaking of the MOVEit bug, US research institution and medical center the Johns Hopkins University has disclosed it suffered a cyberattack connected to the vulnerability. A notification letter sent to the university community states that the incident "may have impacted the information of Johns Hopkins employees, students and/or patients." Officials say an investigation is ongoing, and that it does not appear that electronic health records were impacted. Cybersecurity expert Bill Sieglein told WBAL 11 News, "This was called a 'zero-day attack,' meaning the attackers, who are out of Russia, a group known as CLOP, they discovered a vulnerability in this piece of software called MOVEit. MOVEit is a piece of software that allows you to move large data files between networks and between systems. They found a vulnerability before anybody knew about it and, all at once, launched an attack worldwide.”
Tyler Sullivan, Senior Security Consultant at NetSPI, commented on the implications of this instance of MOVEit exploitation for software supply chain security. “Following the recently disclosed, widely exploited vulnerability in the MOVEit file transfer product, multiple organizations have disclosed they’ve been affected despite not being first-hand users of the technology -- due to the complex software supply chain ecosystem," Sullivan wrote. "To slow third-party software vendor-based attacks, a paradigm shift is required, from standard perimeter-based networks to a Zero Trust architecture. Additionally, it’s critical for organizations to minimize the attack surface and reliance on the supply chain - this means decreasing the amount of third parties used and regularly auditing them for any security gaps. There is not a single responsible party for the supply chain, it's down to the vendors, the repositories, the software consumers and the developers. The second half of 2023 should be when we see meaningful progress by all parties involved to control the supply chain and ensure it can be used in a secure way.”
Choosing the right cyber insurance.
As the average cost of a cyberattack in the US has risen to $9.44 million, companies are looking for ways to protect their bottom line. Globally, the rapidly expanding cyber insurance industry increased from $13.33 billion in 2022 to $16.66 billion in 2023, and it’s expected to reach $84.62 billion by 2030. CSO Online offers a primer on the differences between cyber liability insurance and data breach insurance, two terms that are often used interchangeably but are actually two very different things. Anjali Das, partner and co-chair of the national cybersecurity and data privacy practice team at Wilson Elser LLP, says, “Cyber liability insurance usually provides coverage for the defense of such third-party claims and lawsuits, including potential damages, judgments, and/or settlements.” That said, cyber liability insurance can also provide first-party coverage. Kiran Boosam, vice president and global insurance industry leader at Capgemini, uses a data breach at a bank as an example. "A comprehensive cyber liability insurance will not only protect the financial interest of the bank and its clients against the PII data breach, but it will also cover the financial losses and associated costs incurred due to interruption to the bank’s online businesses,” he explains.
Data breach insurance is actually a subset of cyber liability insurance, protecting only some of the losses associated with a cyber incident. Layna Cook Rush, a shareholder at Baker, Donelson, Bearman, Caldwell & Berkowitz PC, says, “Data breach insurance does not cover third-party claims, such as lawsuits against the company by impacted individuals or third parties or regulatory action by state or federal government agencies.”