The mass-exploitation of MOVEit Transfer software has rapidly cemented itself as the largest hack of the year so far. While the full impact of the attack will likely remain untold for months to come, there are now more than 1,000 known victims of the MOVEit breach, according to cybersecurity company Emsisoft.
This milestone makes the MOVEit breach not just the largest hack of 2023 — but also one of the largest in recent history.
The fallout began in May when Progress disclosed a zero-day vulnerability in MOVEit Transfer, its managed file transfer service used by thousands of organizations around the world to move large amounts of often-sensitive data over the internet. The critical-rated vulnerability allowed attackers — specifically the notorious Clop ransomware and extortion gang — to raid MOVEit Transfer servers and steal customers’ sensitive data stored within.
Since then, Clop’s attacks and threats to publish the stolen data if it doesn’t receive payments have continued unabated, as have the number of known victims organizations, known impacted individuals, and the costs associated with the fallout.
We take a look at the MOVEit mass hack by the numbers.
Just as the number of known victim organizations crossed the 1,000 milestone on August 25, the number of impacted individuals also surpassed the 60 million mark.
This figure, published by Emsisoft, is sourced from state breach notifications, SEC regulatory filings, and other public disclosures. Emsisoft notes that while there will invariably be some overlap in terms of individuals impacted, the number is only likely to increase as more organizations continue to confirm MOVEit-related data breaches.
U.S.-based organizations account for 83.9% of known MOVEit corporate victims, according to Emisoft’s researchers. Organizations in Germany account for about 3.6% of total victims, followed by Canadian companies at 2.6%, and firms in the United Kingdom at 2.1%.
In July, U.S. government services contracting giant Maximus became the largest victim of the MOVEit breach after confirming that hackers accessed the protected health information — including Social Security numbers — of as many as 11 million individuals. The Virginia-based firm said at the time that it had not yet determined the exact number of individuals affected.
This scale of this incident is closely followed by the compromise of the French government’s unemployment agency, Pôle emploi, which recently confirmed a breach impacting the personal data of up to 10 million people. This makes the French agency the second-largest known victim of the mass-hack.
Rounding out the top five MOVEit victims list is the Louisiana Office of Motor Vehicles (6 million). Colorado Department of Health Care Policy and Financing (4 million), and the Oregon Department of Transportation (3.5 million).
About one-third of hosts running vulnerable MOVEit servers at the time the mass-hacks began belonged to financial service-related organizations, according to security analysis firm Censys.
The report, which analyzed 1,400 MOVEit servers that were openly accessible on the internet, found that 15.96% of hosts were associated with the healthcare sector, 8.92% were linked to information technology organizations, and 7.5% were attributed to government and military entities.
This is the estimated total cost of the MOVEit mass-hacks so far. The number is based on IBM data, which found the average data breach last year cost $165, coupled with the number of individuals confirmed to have been impacted.
However, as noted by Emsisoft, only a handful of corporate victims have so far reported the number of individuals known to be affected. Emsisoft said that if the number was scaled, the cost would be at least $65 billion to date.
Researchers believe that Clop may have been sitting on its MOVEit exploit as far back as 2021. U.S. risk consulting firm Kroll said in a report that while news of the vulnerability first emerged in late May, Kroll researchers identified activity indicating that Clop had been experimenting with exploiting this vulnerability for almost two years.
“It appears that the Clop threat actors had the MOVEit Transfer exploit completed at the time of the GoAnywhere event and chose to execute the attacks sequentially instead of in parallel,” Kroll states.
The U.S. State Department offered a $10 million bounty related to information on the Clop ransomware group after records from a number of department’s entities were compromised in the MOVEit breach.
The Department of Energy confirmed to TechCrunch that two of its entities were among those breached.
This is how much money Clop could earn from the MOVEit mass-hacking campaign, according to ransomware recovery company Coveware, with that sum derived from just a small handful of victims who gave into the hackers’ demands and paid significant ransom payments.
“This is a dangerous and staggering sum of money for one, relatively small group to possess. For context, this amount is larger than the annual offensive security budget of Canada,” said Coveware.
This is the amount of government data that Clop claims to hold on government, city or police services. In a post on its dark web leak site, the gang said it would “do the polite thing” and delete all government-related data. Clop has not provided evidence for this claim, nor has TechCrunch been able to verify its claim. “We are only financial [sic] motivated,” the hackers wrote.