The recent MOVEit transfer breach highlights the intersection of cybersecurity and business growth.

On the one hand, technical experts suggest that this incident represents a supply-chain attack, based on a zero-day vulnerability in a common cloud file transfer.

Moreover, the hackers, associated with the Russian Clop ransomware group, managed to extort sensitive data from numerous organizations. Additional evidence suggests that the malware was tested in 2021 and that more than 100 organizations have been hit.

MOVEit and indirect victims

On the other hand, the victims of this attack exceed those using MOVEit directly, posing a substantial threat to businesses using web and open-source applications. For instance, the Payroll Provider Zellis and UK regulator Ofcom used the file transfer, and their employee data was leaked.

Furthermore, numerous businesses that collaborated with these organizations were also impacted and put at risk. These indirect victims included the BBC, British Airways, and Boots. Therefore, modern cyber resilience requires businesses to take rigorous preventive measures internally and validate the security of any external application or service used and the potential exposure of their third-party arrangements.

Along with the above, Ofcom’s declaration acknowledged the disclosure of sensitive employee data and potential harm to Ofcom-regulated companies. Ofcom’s role as a regulator and its affiliation with government matters illustrate the tremendous risks of such attacks. It also highlights the required regulatory precautionary measures for high-risk data breaches according to the General Data Protection Regulation (GDPR). Importantly, there is an urgent need for organizations to address the post-act measures of attacks and not just preventive steps. This is crucial to enhance the suitability of business mechanisms against cyber threat incidents. Besides the ability to cope with the implications in real time, the lessons learned can assist in building suitable preventive mechanisms across businesses.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Verdict.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Another victim of the attack was the Minnesota Education Department. It reported more than 20 compromised files, including the data of approximately 95,000 students. Some students reported that additional sensitive data was leaked, including college transcript information and the last four digits of their social security number.

Attack rationale

The fact that no ransom demands were posted online by the ransomware operators might hint at the geopolitical goals of the hackers. Some may suggest that this attack sought to cause chaos and harm the reputation of the victim organizations, thereby reducing public trust in their services and reputations.

Others might highlight a broader geopolitical opportunity wherein Russian hackers presumably attempt to undermine the image of the UK as a tech leader globally. This notion is particularly relevant as the UK is involved in discussions and initiatives around establishing AI regulations. Nevertheless, while the attack is still being investigated, the rationale remains vague and open to interpretation.

What’s next?

From a regulatory standpoint, the EU is currently working on amending the Cyber Resilience Act. It aims to strengthen Europe’s defence against cyberattacks on IoT devices, computers, and smartphones.

Notably, the law will require device manufacturers and distributors to disclose vulnerabilities. It also exhibits novel liability regulators to the EU Agency for alleged security incidents within 24 hours. However, this disclosure does not include public disclosure, and consumers may remain unaware of vulnerabilities. 

Despite the loopholes in the proposed act, the increase in the scope of cyberattacks and victims requires businesses to embed cyber resilience in their organizational culture. As the attack investigation continues, greater efforts should be dedicated to strengthening the resilience of all businesses against the threats of cyberattack innovation and manipulation.