The list of companies hit by a cyberattack on a widely used software tool continues to expand and several victims have filed lawsuits alleging mishandling of data.
The continued disclosure of new victims affected by hackers exploiting a vulnerability in MoveIt, a common file-transfer tool from
Progress Software,
underscores how cyberattacks can ripple through supply chains. Some companies have been drawn into data breaches without having used MoveIt because their business partners use it.
“It’s massively complex, the downstream impact is difficult to predict, and organizations are not necessarily going to be sure at this point whether they do have any exposure,” said Brett Callow, threat analyst at cybersecurity company Emsisoft.
Since Progress Software disclosed a flaw in MoveIt on May 31, more than 200 companies have said they were affected by cyberattacks on the software, and hackers have claimed credit for attacking close to 400 organizations, Callow said. The Cl0p ransomware group has taken responsibility for the cyberattacks and posted data from some victims on its underground website.
At least 13 lawsuits accusing Progress of poor cybersecurity have been filed since the vulnerability was first disclosed in federal courts around the U.S.
Progress issued a patch within 48 hours after discovering the initial vulnerability. The company unearthed another flaw in MoveIt around two weeks later and issued a patch. Progress issued three fixes on July 6 for more vulnerabilities. “We remain focused on supporting our customers by helping them take the steps needed to further harden their environments, including applying the fixes we have released,” a spokesperson for Progress said. “We are continuing to work with industry-leading cybersecurity experts to investigate the issue and ensure we take all appropriate response measures.”
Personal information about millions of individuals has been exposed in MoveIt hacks at companies ranging from energy giant
Shell
to British broadcaster BBC, as well as U.S. government agencies including the Energy Department.
The long-term effects of significant amounts of personal data being exposed could be damaging for businesses as well as their customers and employees, Callow said. Leaked data can be fodder for future hacks targeting individuals, he said, and companies often face lengthy legal actions after such strikes.
Life-insurance company
Genworth Financial
said hackers accessed the data of 2.5 to 2.7 million of its customers and insurance agents, including Social Security numbers, dates of birth, names and addresses. Genworth said it doesn’t use MoveIt but was affected through its population research supplier, PBI Research Services, which does. PBI said that it became aware that it was attacked on June 2 and has contacted affected customers. In a filing to the U.S. Department of Health and Human Services on July 14, PBI said personal data from around 1.2 million people was exposed in the incident.
A Genworth spokeswoman said the company “has been laser-focused on working with PBI to understand the specific impact.”
Genworth was one of six suppliers that informed Colorado State University that it was affected by MoveIt exploits, the university said in a statement. Understanding what data was affected is difficult, a spokeswoman for the university said.
“New details are emerging daily from MoveIt and other third-party vendors, so the university does not yet have complete information about the extent to which our data was involved, including details about what university data may have been part of the incident,” the spokeswoman said.
Hackers have carried out several supply-chain attacks on widely used technology tools that spread to companies and governments around the world, including those against software companies SolarWinds in 2020 and Kaseya in 2021. A 2021 cyberattack on a tool similar to MoveIt—Accellion’s File Transfer Appliance—had similar ripple effects.
Some companies that previously said they were affected by the attack have recently disclosed more details. In June, Shell said it was affected by a MoveIt hack. On July 4, Shell said some personal information about employees in its BG Group unit was accessed. “We are taking steps to inform impacted individuals to help those affected address possible risk,” a spokesperson said.
Many companies may not know if their suppliers were affected by attacks on MoveIt, requiring cyber teams to spend time investigating if that could be the case, said Suzie Squier, president of the Retail and Hospitality Information Sharing and Analysis Center, a nonprofit that aids companies in the sector in exchanging details about cyber threats.
“It’s a trickle-down effect,” she said.
On July 7, a proposed class-action lawsuit was filed against Johns Hopkins University and its health system on behalf of employees and patients whose information was exposed in a MoveIt attack.
“The privacy and security of Johns Hopkins community members and our patients is our highest priority, and we are actively in the process of communicating with impacted individuals,” a spokeswoman for Johns Hopkins said.
Victim companies continue to surface, noted Emsisoft’s Callow. “This incident is going to be massively costly,” he said.
Write to Catherine Stupp at catherine.stupp@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8