A number of organizations impacted by the mass hacks exploiting a security flaw in the MOVEit file transfer tool, including energy giant Shell and U.S.-based First Merchants Bank, have confirmed that hackers accessed sensitive data.
According to Brett Callow, threat analyst at Emsisoft, the widely exploited vulnerability in Progress Software’s MOVEit file transfer service has affected more than 200 organizations since the mass-hacks began last month. He tells TechCrunch there have been at least 33 data breach disclosures so far, taking the total number of affected individuals to more than 17.5 million people.
As the number of victims continues to grow, so does the number of confirmed data breaches.
Shell this week confirmed in a brief statement that hackers have accessed “some personal information relating to employees” as a result of the exploitation of its MOVEit Transfer tool, which it says was “used by a small number of Shell employees and customers.”
Shell did not say what data was accessed, how many individuals were affected or whether the company knows how many people have been affected. According to Shell’s website, the company currently has around 86,000 employees.
A Shell spokesperson did not return a request for comment.
Information published alongside Shell’s statement, including international toll-free phone numbers that affected individuals can call for more information about the breach, suggests that employees around the world are affected.
The Russia-linked Clop ransomware group, which has claimed responsibility for the mass MOVEit hacks, claims on its dark web leak site that it published Shell’s data after the company refused to negotiate. At the time of writing, links to the published data appear to be broken.
Clop also breached Shell in 2020 when the gang targeted Accellion’s file transfer service users. Shell confirmed at the time that the hackers had accessed personal and corporate data.
First Merchants Bank, an Indiana-based banking giant with more than $18 billion in assets, also confirmed a data breach affecting sensitive customer information resulting from the MOVEit hacks.
In a statement, First Merchants said that hackers accessed data including customers’ addresses, Social Security numbers, online banking usernames, payee information and financial account information, including account and routing numbers. The banking giant said that “online or mobile banking passwords were not captured or compromised and remain unaffected by this incident.”
First Merchants Bank also has not yet said how many customers were affected or whether the company has the ability to determine the number of affected customers. A spokesperson did not return a request for comment.
Clop has not yet listed First Merchants Bank on its dark web leak site.
‘Majority of schools’ in the U.S. likely affected
The ransomware group claimed to have stolen data from other organizations, including energy giants Siemens Energy and Schneider Electric, law firm Proskauer and City National Bank.
Several new victims have confirmed MOVEit-related data breaches in recent days, including the U.K.’s Cambridgeshire County Council, Dublin Airport and Wisconsin-based Madison College.
Madison College is just one of a number of schools that have confirmed MOVEit-related breaches, the majority of which stem from security incidents affecting the National Student Clearinghouse (NSC) and the Teachers Insurance and Annuity Association of America (TIAA). Callow notes that given the number of organizations in the education sector affected by MOVEit so far, “it’s possible that the majority of schools in the U.S. will also have been impacted.”
Callow added that at least eight organizations, including NSC, were delisted from Clop’s leak site in recent days. Another of these organizations is U.S. cybersecurity company Telos, which provides services to the Department of Defense and the Department of State.
It’s not known whether or not these organizations paid Clop’s ransom demand. Clop states on its leak site that it will “delete all” data related to the government.
Do you work at an organization that’s affected? Do you have more information you can share? You can contact Carly Page securely on Signal at +441536 853968 and by email. You can also share tips and documents with TechCrunch via SecureDrop.