The MOVEit breach: what to know and what to do about it

The MOVEit breach is likely to be one of the largest in history. Here is how it might affect you and how you should respond.

If you are not already aware of the MOVEit Transfer breach, you likely will be soon. At last count, 46 million people and 600+ organizations were confirmed to have been impacted by this massive data breach, and that number is still rising. The FBI currently estimates that a sobering 3,000 organizations have been impacted in the US alone—most of them still unaware of the attack.

How did this happen?

MOVEit Transfer is a popular file management software designed to transfer sensitive information. In May 2023, a small line of malicious SQL code was discovered in MOVEit by Progress, the company behind MOVEit Transfer. That code allowed the Russian cybercrime group “Cl0p” to hijack some of the sensitive information flowing through MOVEit.

Once they had access to the information, Cl0p began to extort MOVEit clients—threatening to release their sensitive customer data unless they were paid. Unfortunately, Cl0p has proven good to its word and has since released enormous amounts of sensitive information.

Since that time, a staggering number of individuals have been potentially compromised through their pension funds, contractors, state DMVs, departments of social services, financial institutions, county governments, and universities.

Due to the seriousness of this incident, the National Institute of Standards and Technology (NIST) has assigned a severity score of 9.8 out of 10 (critical) to the breach in its National Vulnerability Database, and the U.S. State Department has levied a $10 million bounty against Cl0p.

Missourians have not dodged this cyber bullet. In August 2023, the Missouri Department of Social Services (DSS) confirmed that they had been compromised through this attack.

The DSS press release acknowledged that they were a downstream victim of the attack—although they did not use MOVEit software, one of their vendors (IBM) did, resulting in the breach of DSS data. In particular, Missouri citizens that coordinate their Medicaid coverage through DSS have likely been compromised.

What should you do if you have been compromised by the MOVEit data breach as an individual?

If you have been informed that your personal data has been potentially compromised, you should immediately change any passwords associated with the impacted email address and begin to monitor your accounts for any suspicious activity.

In addition, US citizens have the right to request one free credit report annually from Equifax, Experian, or TransUnion. Potential victims that believe that fraudulent activity may be occurring under their names are encouraged to check their credit reports and report any suspected identity theft to the Federal Trade Commission.

Finally, you can add a fraud alert to your credit report file in order to protect your credit information and prevent fraudsters from abusing your identity. Although this may slow down your own ability to obtain credit, it will also complicate the process for anyone attempting to fraudulently obtain credit in your name.

You can add the fraud alert to your account (free of charge) by contacting any of the credit reporting agencies listed above. You only need to notify one of the three. Whichever agency you contact will automatically notify the other two agencies.

How can you know if your business’s data has been compromised by the MOVEit data breach?

If you use MOVEit Transfer, you should have already been notified and taken the steps listed below in order to mitigate the impact of the attack. However, even if you do not use MOVEit, you could still be exposed if your vendors have been affected.

We recommend that all businesses contact their vendors to directly ask if they have been affected by the data breach. In addition, you should review your vendor contracts to make sure that they require immediate disclosure from your vendors if they are ever compromised.

How can you respond if your business’s data has been compromised by the MOVEit data breach?

If your business uses MOVEit Transfer, you should immediately follow the guidelines provided by Progress on their Vulnerability webpage. We will summarize their main points below, but all users should follow the detailed instructions on their webpage.

1. Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment.
   Use your firewalls to deny access to MOVEit Transfer on ports 80 and 443 until the patch is applied.
2. Review, Delete and Reset accounts.
   Delete any instances of files containing the “human2” prefix or “.cmdline” script files. Search the MOVEit Transfer servers for new files in the directories indicated by Progress. Remove unauthorized user accounts. Stop all active sessions. Review logs. Reset account credentials.
3. Apply the software patch provided by Progress.
   You can find the most recent version of the patch on the Progress Vulnerability response website.
4. Verify that all compromised files have been removed.
   Repeat step number two to check for indicators of compromise.
5. Perform continuous monitoring.
   Keep abreast of how the vulnerability response continues at Progress’s update page.