When Russia’s Cl0p gang hacked Progress Software’s MOVEit Transfer app via a zero-day SQL injection vulnerability on 27 May, it soon became apparent that the number of organisations and individuals affected would be high.
The first known victim was the payroll services provider Zellis, whose high-profile customers included British Airways, the BBC and Aer Lingus, all of which suffered data breaches as a result.
Other victims soon became known, including:
- The oil and gas multinational Shell;
- The University of Georgia;
- The Boston-based investment fund Putnam;
- The financial services organisations 1st Source and First National Bankers Bank;
- Landal Greenparks in the Netherlands;
- The financial software provider Datasite;
- The educational non-profit organisation National Student Clearinghouse;
- The student health insurance provider United Healthcare Student Resources;
- The manufacturer Leggett & Platt;
- The Government of Nova Scotia;
- Johns Hopkins University;
- The professional services multinational Ernst & Young;
- The Swiss insurance Company ÖKK; and
- The German mechanical engineering company Heidelberg.
This, however, was only the tip of the iceberg.
Cl0p confirmed that it had stolen data from “hundreds of companies” and threatened to begin publishing its victims’ information if they didn’t pay a ransom. The gang was true to its word: on 14 June, it released the first batch of victims’ names on its dark web site and continued to leak information in the weeks that followed.
The largest hack of the year so far
It’s now been confirmed that the breach has affected over 1,000 organisations and 60 million individuals around the world – although it should be noted that there is likely to be some overlap in terms of individuals affected.
According to analysis by Emsisoft, US-based organisations accounted for 84.7% of known victims, those in Germany 3.4%, those in Canada 2.6% and those in the UK 1.9%.
Those most affected are:
- The US government services contractor Maximus (11 million individuals affected).
- The French unemployment agency Pôle Emploi (10 million individuals affected).
- Louisiana Office of Motor Vehicles (6 million individuals affected)
- Colorado Department of Health Care Policy and Financing (4 million individuals affected).
- Oregon Department of Transportation (3.5 million individuals affected).
Supply chain security
It remains difficult to see what Progress Software could have done differently. Zero-day vulnerabilities are by their nature difficult to defend. Progress worked quickly to patch the vulnerability the criminals exploited, as well as identifying other critical vulnerabilities in MOVEit Transfer.
For Progress’s clients, there is undoubtedly little comfort in this, but when it comes to the crunch, organisations must accept that there are security risks associated with information technology and that breaches are to a great extent inevitable – especially when third parties are involved. Indeed, recent research found that 61% of US businesses have been directly affected by a software supply chain threat in the past year.
Moreover, supply chain compromises – data breaches that originate in an attack on a business partner – are more severe than direct attacks. According to IBM’s Cost of a Data Breach Report 2023, business partner supply chain compromises cost 11.8% more and take 12.8% longer to identify and contain than other types of breach.
When it comes to software supply chain compromises like the MOVEit Transfer breach, the figures are marginally better but are still a concern: software supply chain compromises cost 8.3% more and 8.9% longer to identify and contain than other breach types.
However, just because third-party risks are inevitable doesn’t mean they can’t be mitigated. The key is knowing where your exposure lies – and having a clear, documented process for assessing and managing the risks your suppliers introduce. That’s where independent expertise can make a real difference.
If you need to audit your supply chain, we can provide all the support you need.
Supply chain audits
We specialise in supply chain audits against data protection and information security requirements, but we can also provide support with broader documented requirements such as EDG and health and safety.
Our services are tailored to the specific needs of our clients – whether you need to review supply chain questionnaires or conduct full audits.