MOVEit, a popular file-sharing platform, is the latest in a string of platforms identified as having vulnerabilities capable of being compromised by cyber criminals. The most recent threat intelligence reveals that threat actors, primarily the ‘Cl0p’ ransomware group, have been exploiting a zero-day vulnerability in the MOVEit platform to extract data, and hold organisations to ransom. Reports also indicate that this vulnerability might have first been exposed by Cl0p as long as two years ago.
All organisations which use the platform should check the version of MOVEit being used, take the technical remediation steps recommended by the software provider, Progress, and be aware of their potential legal and regulatory obligations should the organisation be targeted (or indeed, if MOVEit is known to be used by a supplier within the organisation’s supply chain).
- Ransomware groups are exploiting a zero day vulnerability in the file sharing platform, MOVEit.
- The vulnerability is used to gain unauthorised access to an organisation’s MOVEit file transfer environment.
- Data may be taken or exfiltrated from the environment, and used to hold an organisation to ransom.
- Technical remediation steps should be taken with urgency, and organisations which suspect that a vulnerability in the software has been exploited should consider whether any urgent legal and regulatory considerations arise.
On 7 June 2023, CISA (The US’s Cybersecurity and Infrastructure Agency) and the FBI released a joint advisory on zero day vulnerabilities impacting the MOVEit platform. The joint advisory outlined that CISA and the FBI were aware that the Cl0p ransomware group had been exploiting the vulnerabilities to gain access to organisations’ MOVEit file transfer environments, and were extracting files.
It has also been reported that with enough time and effort, Cl0p and other groups exploiting the vulnerabilities could move from the MOVEit environment, into an organisation’s own corporate environment. As such, organisations which suspect that they may have been the target of criminal groups exploiting MOVEit vulnerabilities should consider engaging cyber specialists to investigate exactly what has occurred and to advise on the possible, and likely pressing, legal and regulatory considerations arising.
Organisations also need to be aware that Cl0p is known to use the threat of posting stolen files online to force target organisations to pay ransoms. One of the risks for organisations using vulnerable MOVEit software is that they may be subject to similar threats.
When might a data leak occur?
For impacted organisations, Cl0p has threatened to name any victims that have not paid a ransom (to prevent the leak of stolen data) from 14 June 2023. Cl0p’s victims will then have a few days to re-consider engaging, before any data Cl0p exfiltrated is published on the dark web, potentially from 21 June 2023.
Key dates to note
14 June 2023: Cl0p to start naming those organisations they have been able to compromise by exposing a vulnerability in the MOVEit software.
21 June 2023: Cl0p to start publishing data stolen from their victims’ MOVEit platforms in the event a ransom is not paid to avoid the leak.
What are the legal and regulatory implications?
Any organisation using MOVEit needs to consider the potential legal and regulatory obligations arising from a possible compromise, including whether a personal data breach has occurred. The same considerations apply if an organisation shares data with a supplier or other third party which uses MOVEit in the course of processing that data.
From a UK perspective, pursuant to the relevant data protection legislation, personal data breaches are defined as:
When that has occurred, a risk assessment is required in order to determine whether notification is required to (i) the data protection regulator (i.e. the ICO), and (ii) the individuals whose personal data has been compromised.
For organisations with a global footprint, separate international regulatory considerations might arise, to the extent that data held in MOVEit relates to individuals residing outside the UK. Depending on the countries in scope, different data protection laws may apply, meaning different thresholds for notification to regulators and/or individuals, often with very pressing deadlines (some within as little as six hours from awareness of the breach).
In short, organisations should urgently investigate whether any vulnerability in their software has been exploited, and if so, consider whether a data breach has occurred. If it has, the organisation may need to notify regulators, including data protection regulators in the UK and worldwide, as well as any industry specific regulators, impacted employees, clients and/or other stakeholders.
The same considerations apply if an organisation shares data with a company using MOVEit, as there could be a knock-on impact in the event that data is subsequently published on the dark web, and so urgent enquiries should be made of suppliers and other third parties.
Given the timeline set by Cl0p, organisations should act with urgency to investigate.