The Biggest Hack of 2023 Keeps Getting Bigger

The MOVEit incident eclipses them, though, both in the number of victim organizations and individuals whose data was compromised. Antivirus company Emsisoft has been tracking the number of MOVEit victim organizations that have publicly declared they were impacted since May. The researchers have combed individual US state breach notifications, filings with the US Securities and Exchange Commission, public disclosures, and Clop’s own disclosure website to tabulate and reconcile the true toll of the attacks.

To date, Emsisoft has concluded that 2,167 organizations have been impacted by the sprawling campaign. The number had been hovering around 1,000 in recent months, but it jumped significantly when the National Student Clearinghouse revealed 890 colleges and universities across the US—including Harvard University and Stanford University—had been impacted by MOVEit breaches. Organizations in the US account for 88.8 percent of known victims, according to Emsisoft, while a smattering of other organizations in Germany, Canada, and the UK have also been exposed by Clop and come forward.

According to Emsisoft’s analysis, around 1,841 organizations have disclosed breaches, but only 189 of them have specified how many individuals were impacted by the incident. From these detailed disclosures, Emsisoft has found that more than 62 million individuals had their data breached as part of Clop’s MOVEit spree. But since there are estimated to be nearly 2,000 organizations that have not revealed how many individuals had personal data affected in their breaches—and since researchers have concluded that there are other impacted organizations that haven’t come forward at all—the true total of people whose data was compromised is likely even larger, possibly on the scale of hundreds of millions of individuals, according to Emsisoft.

“It’s inevitable that there are corporate victims that don’t yet know they’re victims and there are individuals out there who don’t yet know they’ve been impacted,” says Brett Callow, a threat analyst at Emsisoft. “MOVEit is especially significant simply because of the number of victims, who those victims are, the sensitivity of the data that was obtained, and the multitude of ways that data can be used.”

Censys’ Austin says file transfer tools are by their nature a “fantastic target” for cybercriminals. The whole purpose of the tools is to manage and share data, so these services are often trusted with large volumes of sensitive information. BORN Ontario said in a statement last week that the data taken in the breach was from those “seeking pregnancy care and newborns.” This included lab test results, pregnancy risk factors, and procedures. Names, dates of birth, government ID numbers like Social Security numbers, addresses, and more have all been compromised in other MOVEit incidents.

While cybercriminal groups often make headlines for attention-grabbing ransomware or extortion attacks, such as those against casinos, persistent and unrelenting theft, publication, extortion, and trade of people’s sensitive data from sprees like the MOVEit rampage can ruin lives—a cumulative reality that is often overshadowed by individual incidents where profits are on the line. Hacks on schools have revealed details of sexual assaults, child abuse allegations, and suicide attempts, with the Associated Press reporting individuals often don’t know the details have been published. Meanwhile, breaches of mental health service providers have exposed patients’ records.

Callows says that he suspects the slow drip of MOVEit-related disclosures “will rumble on for years.” More broadly, he and Austin emphasize that defenders should prepare for cybercriminals to continue targeting widely-used data management software. As Callow puts it, “MOVEIt isn’t the first file transfer application to be exploited and it likely will not be the last.”

Just last week, MOVEit developer Progress Software disclosed a new set of vulnerabilities in one of its file transfer tools for servers, known as WS_FTP Server, along with patches for the flaws. The company says that it has not “currently” seen evidence that the bugs are being actively exploited.