Cybersecurity firm Emsisoft shared disconcerting details about the recent, massive hacking campaign conducted by the Cl0p ransomware group that targeted the MOVEit Transfer file transfer platform designed by Progress Software Corporation.
According to the experts, the attacks impacted approximately 1,000 Organizations and 60,144,069 individuals. The Cl0p ransomware gang exploited the zero-day vulnerability CVE-2023-34362 to hack the platforms used by organizations worldwide and steal their data.
The data is sourced from state breach notifications, SEC filings, and other public disclosures, as well as the leak site maintained by the Cl0p group, and is current as of August 25, 2023.
The researchers reported that the attacks impacted tens of millions of individuals. Below is the list of organizations with the highest number of impacted individuals:
Organization | Individuals |
Maximus | 11 million |
Pôle emploi | 10 million |
Louisiana Office of Motor Vehicles | 6 million |
Colorado Department of Health Care Policy and Financing | 4 million |
Oregon Department of Transportation | 3.5 million |
Teachers Insurance and Annuity Association of America | 2.6 million |
Genworth | 2.5 million |
PH Tech | 1.7 million |
Milliman Solutions | 1.2 million |
Wilton Reassurance Company | 1.2 million |
“U.S.-based organizations account for 83.9 percent of known victims, Germany-based 3.6 percent, Canada-based 2.6 percent, and U.K.-based 2.1 percent.” reads the report published by Emsisoft. “The most heavily impacted sectors are finance and professional services and education, which account for 24.3 percent and 26.0 percent of incidents respectively.”
The experts explained that is impossible to accurately calculate the cost of the MOVEit security breaches. However, using data from IBM’s “Cost of a Data Breach Report 2023” report, it is possible to estimate the cost. According to the report, data breaches cost an average of $165 USD per record, while the number of individuals impacted by the MOVEit campaign is 60,144,069, this suggests that the total cost is $9,923,771,385. However, Emsisoft highlighted that only a minority of victims have so far reported the number of individuals impacted.
If the same average number of individuals is confirmed to have been impacted for each of the remaining known incidents, the total cost of this campaign will reach $63,896,282,853.
“The MOVEit incident highlights the challenges organizations face in securing their data. It’s not only their own security they need to be concerned about, it’s their supply chains too. Complicating matters further is the fact that attacks which leverage zero-day vulnerabilities, as this one did, are extremely hard to defend against.” concludes the report. “The incident will undoubtedly be extremely costly. Beyond remediation, organizations and their insurers will need to provide credit monitoring to individuals and will undoubtedly face multiple lawsuits.”
Researchers from cybersecurity firm Resecurity also published a report that confirms the data shared by Emsisoft. As of August 23, Resecurity reported that 963 public and private sector organizations was hit by the MOVEit campaign.
“The most impacted sectors are finance, professional services, and education, which collectively account for over 48% of reported victims.” reported Resecurity. “Cl0p is anticipated to generate between $75 mm and $100 mm in primary ransom payouts, making it the most significant cyberattack of all time.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, MOVEit)