The recent MOVEit transfer breach highlights the intersection of cybersecurity and business growth.

On the one hand, technical experts suggest that this incident represents a supply-chain attack, based on a zero-day vulnerability in a common cloud file transfer.

Moreover, the hackers, associated with the Russian Clop ransomware group, managed to extort sensitive data from numerous organizations. Additional evidence suggests that the malware was tested in 2021 and that more than 100 organizations have been hit.

MOVEit and indirect victims

On the other hand, the victims of this attack exceed those using MOVEit directly, posing a substantial threat to businesses using web and open-source applications. For instance, the Payroll Provider Zellis and UK regulator Ofcom used the file transfer, and their employee data was leaked.

Furthermore, numerous businesses that collaborated with these organizations were also impacted and put at risk. These indirect victims included the BBC, British Airways, and Boots. Therefore, modern cyber resilience requires businesses to take rigorous preventive measures internally and validate the security of any external application or service used and the potential exposure of their third-party arrangements.

Along with the above, Ofcom’s declaration acknowledged the disclosure of sensitive employee data and potential harm to Ofcom-regulated companies. Ofcom’s role as a regulator and its affiliation with government matters illustrate the tremendous risks of such attacks. It also highlights the required regulatory precautionary measures for high-risk data breaches according to the General Data Protection Regulation (GDPR). Importantly, there is an urgent need for organizations to address the post-act measures of attacks and not just preventive steps. This is crucial to enhance the suitability of business mechanisms against cyber threat incidents. Besides the ability to cope with the implications in real time, the lessons learned can assist in building suitable preventive mechanisms across businesses.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Another victim of the attack was the Minnesota Education Department. It reported more than 20 compromised files, including the data of approximately 95,000 students. Some students reported that additional sensitive data was leaked, including college transcript information and the last four digits of their social security number.

Attack rationale

The fact that no ransom demands were posted online by the ransomware operators might hint at the geopolitical goals of the hackers. Some may suggest that this attack sought to cause chaos and harm the reputation of the victim organizations, thereby reducing public trust in their services and reputations.

Others might highlight a broader geopolitical opportunity wherein Russian hackers presumably attempt to undermine the image of the UK as a tech leader globally. This notion is particularly relevant as the UK is involved in discussions and initiatives around establishing AI regulations. Nevertheless, while the attack is still being investigated, the rationale remains vague and open to interpretation.

What’s next?

From a regulatory standpoint, the EU is currently working on amending the Cyber Resilience Act. It aims to strengthen Europe’s defence against cyberattacks on IoT devices, computers, and smartphones.

Notably, the law will require device manufacturers and distributors to disclose vulnerabilities. It also exhibits novel liability regulators to the EU Agency for alleged security incidents within 24 hours. However, this disclosure does not include public disclosure, and consumers may remain unaware of vulnerabilities. 

Despite the loopholes in the proposed act, the increase in the scope of cyberattacks and victims requires businesses to embed cyber resilience in their organizational culture. As the attack investigation continues, greater efforts should be dedicated to strengthening the resilience of all businesses against the threats of cyberattack innovation and manipulation.