More MOVEit-related data breaches are disclosed.
N2K logoSep 25, 2023

A continuing software supply chain incident finds more victims.

More MOVEit-related data breaches are disclosed.

Three more organizations have disclosed data breaches related to exploitation of issues (now for some time patched) with the widely used MOVEit software.

Sovos Compliance clients affected.

JDSupra reports that Sovos Compliance, LLC, has determined that six more of its clients may have had data exposed via exploitation of MOVEit file transfer software. These clients–UBS Financial Services Inc, Atlantic Shareholder Services, Patelco Credit Union, Bangor Savings Bank, Pan-American Life Insurance Group, Inc. and Celink–may have seen the names and Social Security numbers of their own customers accessed by unauthorized parties.

Personal health information at BORN Ontario compromised.

Children born in Ontario between 2010 and 2023 and their mothers may have had their personal information exposed in a Cl0p ransomware attack against the Better Outcomes Registry & Network (BORN), a provincial government agency in Ontario. BleepingComputer reports that up to 3.4 million people may have been affected. The data at risk include:

  • “Full name
  • “Home address
  • “Postal code
  • “Date of birth
  • “Health card number

“Depending on the type of care received by BORN, the additional data below may have been exposed as well:

  • “Dates of service/care,
  • “Lab test results,
  • “Pregnancy risk factors,
  • “Type of birth,
  • “Procedures, [and]
  • “Pregnancy and birth outcomes”.

BORN Ontario closed its investigation on September 25th. The final public report said in part:

“Late evening on May 31, BORN Ontario, the provincial perinatal, newborn and child registry, was made aware of a global vulnerability within the MOVEit data transfer software by Progress Software, an external software vendor used by BORN Ontario for the secure transfer of data files with authorized partners. 

“The MOVEit data transfer software is used across the world by governments, private sector organizations and multinationals. Public reports suggest the MOVEit vulnerability has affected well over 2,500 organizations globally and advisories have been published by the Canadian Centre for Cyber Security and other cybersecurity government agencies. 

“In response, BORN Ontario immediately took steps to isolate systems, contain the threat, and launched an investigation by third-party cybersecurity experts to understand the scale of this matter. BORN has reported the incident to law enforcement and Ontario’s Information and Privacy Commissioner.  

“The MOVEit vulnerability allowed unauthorized malicious third-party actors to access and copy files of personal health information contained in BORN Ontario records which had been transferred using the secure file transfer software.

“The investigation to date confirms that files being transferred using the MOVEit secure file transfer software were affected. The BORN Information System (BIS) was not compromised.

“The affected MOVEit FTP Server that was exploited has been decommissioned. The server will remain offline until changes to file transfer protocol are investigated and transfer operations are deemed safe to continue under updated configuration.”

James McQuiggan, security awareness advocate at KnowBe4, discussed the incident as an instance of third-party risk. “Third-party vendors are an essential component, facilitating everything from payment processing to cloud services. However, there is the new lurking danger, the potential for significant data breaches,” he said.”Unfortunately, the number of attacks via third-party vendors is becoming more common, as the original attack provides an exponential impact to other organizations.”

Attacks of this kind have recently grown more common. “We are seeing these attacks on a daily basis, as organizations are impacted by breaches arising from their vendors. If the attack is successful, it not only tarnishes the originating organization's reputation but can expose them to additional legal costs, and financial penalties.”

There are some measures organizations can take to manage such risks. “One of the best practices for organizations using third-party vendors is having a comprehensive incident response plan in place that can help minimize the damage in the event of a breach. Having that playbook where they can review various scenarios, removes all the guesswork when the actual incident happens. It's not a matter of ‘if,’ but ‘when,’” McQuiggan said.

National Student Clearinghouse data exposure affects some 900 institutions.

According to SecurityWeek, students at some nine-hundred colleges and universities may have had their personal data exposed through the National Student Clearinghouse’s use of MOVEit. It was a ransomware attack. The data included “name, date of birth, contact information, social security number, student ID number, and school-related records, including degree and enrollment records and course-level data.” Which data were exposed varies from student to student.

The National Student Clearinghouse is a not-for-profit that provides its member institutions, all North American colleges and universities, with reporting, verification, and research services. It offers an extensive account of its commitment to student privacy on its website. The organization disclosed details of the incident in a letter to affected individuals. 

Darren Williams, CEO and Founder of BlackFog, sees the education sector as a laggard in the adoption of effective security measures. “As yet another organization joins the long list of MOVEit victims, the vulnerabilities and inadequacies of the traditional defensive-based cybersecurity techniques organizations are still relying on are highlighted. The education sector remains one of the top targeted sectors for cyberattacks, emphasizing the need for schools to invest in more updated technologies that enable them to keep up with the quickly evolving techniques attackers use against them. It will be some time before we know the full extent of this breach, and meanwhile, the MOVEit exploit victims list will inevitably grow.”

In this case, the target may have been one of opportunity. Academic organizations are often under-resourced when it comes to cybersecurity, as Colin Little, Security Engineer with Centripetal wrote. "Unfortunately, schools, and the professional organizations that serve them, will always be an attractive target for attackers due to their limited cyber expertise and budgets. 

Little offered some advice to the education sector. “Educational institutions can bolster their defenses against cyberattacks like MOVEit by implementing a multifaceted cybersecurity strategy.

  • “First, schools need to prioritize employee cybersecurity training to raise awareness about phishing threats and social engineering tactics. Strong password policies and multifactor authentication can enhance login security.
  • “Second, regularly updating and patching software and systems is critical to addressing vulnerabilities.
  • “Third, and most important, taking a proactive approach by implementing intelligence powered cybersecurity can help identify emerging threats and address potential weaknesses in their infrastructure.”

Little concluded, “By adopting these measures, education institutions can significantly reduce their vulnerability to MOVEit and similar cyberattacks in the future."

Nick Tausek, Lead Security Automation Architect at Swimlane, also sees academic institutions as, relatively speaking, low-hanging fruit. They hold a great deal of sensitive personal information and often experience difficulties in securing it. ”Educational institutions are notorious for having very limited cybersecurity resources,” he wrote in emailed comments. “Just last month the U.S. Department of Education and the White House announced a nationwide effort to improve K-12 cybersecurity systems through public information campaigns, grant opportunities, and partnerships with ed-tech companies and education advocacy groups.”

In part, he argued, this is a labor force issue. “In addition to the efforts made by the Department of Education and The White House, the education sector, along with many industries, must prioritize hiring cybersecurity professionals. According to recent Swimlane research, the cyber talent gap continues to underscore how chronically understaffed security teams are, and the numerous large-scale attacks demonstrate that cybersecurity will continue to suffer without adequate staffing.”

In this case, where labor is scarce and expensive, Tausek said it makes sense to look for automated solutions that can redress staff shortages. “To mitigate the negative repercussions of having limited cybersecurity resources in schools, organizations should leverage security automation to assist with the detection of and response to these threats in real time.”

And he pointed out that this incident is a supply-chain issue as well. “ Additionally, organizations that utilize third-party vendors must ensure that not only their own infrastructure is secure, but also that of the third-parties they are connected to. By adopting low-code security automation, organizations gain full visibility into IT environments to manage and control access and credentials. Low-code security automation also alleviates the need for a full staff in under-employed organizations by automating basic security tasks that would typically require more hands on deck.”

Prevention, response, and mitigation.

Emily Phelps, Director at Cyware, advises organizations at risk to adopt best practices to protect themselves. “Pervasive MOVEit transfer attacks continue to impact major organizations across a variety of industries," she wrote in emailed comments. "While a layered security approach – multifactor authentication, regular patches and updates, intrusion detection and prevention systems, etc. – play a pivotal role in defense, organizations must do more to move to a proactive cybersecurity posture. Organizations need access to reliable threat intelligence that can be automatically routed to the right people to rapidly take the right actions.”

Other industry experts focused on the ransomware dimensions of the attack. Steve Hahn, Executive VP at BullWall, wrote, “Ransomware has taken a dark turn this year. Double extortion techniques now mean the threat actors have two ways to monetize the event. Pay to decrypt your data. Pay to not have them release sensitive information on the web. " Hahn notes that reports of restraint and conscience being shown by ransomware gangs are exaggerated. "With that, once unheard of targets, children, elderly and the sick have become the prime targets. Just this year threat actors have hit a breast cancer treatment facility and released pictures of women in vulnerable states that were being treated at the facility. They've also released student records, grades, disciplinary records and information on students’ sexual activity and identity as part of this data theft. There is no bar too low for this new breed of criminals as we've seen the highest number of Ransomware Victims on record for Ransomware. Prevention just staves off the inevitable. Schools will be hit. They need a rapid containment strategy that can isolate those events once the attack begins unfolding. The only hope is to limit the damage and recover quickly when a determined threat actor is targeting these educational institutes.“

Al Martinek, Customer Threat Analyst with, offers more detailed advice on prevention and response to both exploitation of unpatched MOVEit instances and the threat ransomware groups like Cl0p pose. "Over the past four months, the widely reported critical security flaw in the Progress MOVEit Transfer application (CVE-2023-34362) constantly reminds us of how important it is to remain vigilant in securing our IT infrastructure from potential cyber threat actors. CVE-2023-34362 poses a significant risk to all industries and sectors relying on MOVEit for file transfer operations. The active exploitation of this vulnerability by threat actors emphasizes the need for swift action. CL0P, for example, continues to exploit CVE-2023-34362 across a large array of organizations big or small."  

Martinek added, “Notoriously known as a “Big Game” ransom hunter, CL0P also hones and sharpens their skills by targeting smaller organizations. Their main goals are to disrupt daily organizational cyber activity, stealing sensitive data (i.e. PII and PHI) and finding other opportunistic ways to disrupt or deploy further attacks. An attack targeting MOVEit's web application could prove detrimental to any organization, because the application is responsible for interfacing with MySQL, Microsoft SQL Server, and Azure SQL database engines.

“It is becoming seemingly important for organizations, including educational institutions of all sizes, to shift their mindset regarding how they secure their systems and networks against cyber threat actors," he said. "Specifically, organizations must ask themselves whether paying millions of dollars in ransomware is worth not proactively investing in cybersecurity tools that would have alerted to and prevented such attacks and demand for money. proactively warns customers about potential zero-day and N-day ransomware attacks and impacts so that they take immediate action to fix potential vulnerabilities and mitigate possible threats. Exploitation by any cyber threat actor poses a significant risk to organizations (especially the Education sector) relying on the MOVEit web application for file transfer operations. Key Impacts on these organizations includes:

  • "Data Breaches and Intellectual Property Theft (including current and former employee data)
  • "Operational Disruption and Downtime
  • "Manipulation of File Transfers [and]
  • "Reputational Damage and Legal Consequences"

Martinek offered some recommendations:

  • "Implement Regular Pentest Cadence (NodeZero)"
  • "Apply Security Patches and Updates (Progress Security Advisory)"
  • "Implement Intrusion Detection and Prevention Systems"
  • "Conduct Regular Security Audits"
  • "User Awareness and Training"

"To mitigate these risks," he concluded, "organizations should promptly apply security patches, implement regular pentest cadence, implement intrusion detection and prevention systems, conduct regular security audits, and provide user awareness and training. By taking these proactive measures, organizations can enhance their security posture and minimize the potential impacts of CVE-2023-34362 and thwart possible attacks by groups such as CL0P. It is crucial for organizations to prioritize cybersecurity and remain vigilant in addressing vulnerabilities to protect their sensitive data and maintain the trust of stakeholders."