Hackers have compromised the personal data of more than 15.5 million individuals by exploiting a security vulnerability in the MOVEit file transfer tool, and the number of victim organizations continues to grow.
There are more than 140 known victims of Clop ransomware attacks targeting a vulnerability in MOVEit Transfer, an enterprise file transfer tool developed by Progress Software. Brett Callow, a ransomware expert and threat analyst at Emsisoft, tells TechCrunch that while only 10 of these victims have so far confirmed the number of people affected, the number already exceeds more than 15.5 million individuals.
This includes approximately 3.5 million Oregon driver’s license holders; roughly 6 million Louisiana residents; some 770,000 members of the California Public Employees’ Retirement System; between 2.5 and 2.7 million Genworth Finance clients; approximately 1.5 million customers of insurance provider Wilton Reassurance; more than 170,000 beneficiaries of the Tennessee Consolidated Retirement System; and more than half a million Talcott Resolution customers.
Callow tells TechCrunch that the mass-hacks include U.S. educational nonprofit National Student Clearinghouse, which could be a “potentially significant” breach in terms of numbers. The organization, which began notifying schools of the data breach, works with 3,600 colleges and universities and 22,000 high schools.
Callow noted that at least seven of the known MOVEit victims are U.S. universities, and 16 are U.S. public sector organizations.
This includes the U.S. Department of Health and Human Services (HHS), according to Bloomberg, which reported Wednesday that officials notified Congress of an incident involving the exposure of more than 100,000 individuals. HHS did not respond to TechCrunch’s questions and has not yet been added to Clop’s dark web leak site.
The U.S. Cybersecurity and Infrastructure Security Agency previously told TechCrunch that “several” U.S. government agencies had experienced intrusions related to the exploitation of the MOVEit transfer flaw, and a spokesperson for the Department of Energy confirmed that this included two DOE entities.
It’s not just government departments that have been targeted.
Clop, which claimed responsibility for the widespread attacks, has added tens of new victims to its leak site this week alone, including banks, consultancy and legal companies, and energy giants.
Siemens Energy spokesperson Claudia Nehring confirmed to TechCrunch that the company is among the targets of the MOVEit attacks. “Based on the current analysis no critical data has been compromised and our operations have not been affected. We took immediate action when we learned about the incident,” Nehring added.
The University of California–Los Angeles (UCLA), which used MOVEit Transfer to transfer files across campus and to other entities, is also among Clop’s newly listed victims. UCLA spokesperson Margery Grey told TechCrunch that the university “notified the FBI and worked with external cybersecurity experts to investigate the matter” and has notified those who have been impacted. UCLA declined to say how many individuals have been affected.
None of the other victims listed by Clop have yet responded to TechCrunch’s requests for comment.
The exact number of impacted organizations, and subsequently breached individuals, remains unknown. In a post on its leak site, Clop claims to have compromised “hundreds” of organizations, which means that more victims are likely to come to light in the coming days and weeks.
In light of this latest wave of mass attacks, U.S. State Department earlier this month offered a $10 million bounty for information on the Clop ransomware group, a Russia-linked gang that was also responsible for previous mass-attacks exploiting flaws in Fortra’s GoAnywhere file transfer tool and Accellion’s file transfer application.
Do you work at an organization that’s affected? Do you have more information you can share? You can contact Carly Page securely on Signal at +441536 853968 and by email. You can also share tips and documents with TechCrunch via SecureDrop.