UK communications regulator Ofcom has revealed it is one of the victims of the ‘MOVEit’ cyber attack, in which cybercriminals downloaded the personal data of 412 Ofcom employees, alongside a ‘limited amount of information’ about some of the companies it currently regulates.
What is the MOVEit attack, and who is behind it?
Organisations including the BBC, British Airways, Aer Lingus and now Ofcom have all revealed that employee personal data was stolen by hackers exploiting a vulnerability in the MOVEit Managed File Transfer (MFT) software.
UK-based HR software and payroll provider Zellis was a customer of MOVEit, and the hack resulted in compromised payroll data. The affected companies all utilised Zellis, which held the personal information of the impacted employees.
On Monday 5 June, analysts from Microsoft Threat Intelligence publically attributed the attack to ‘Lace Tempest’, a threat group known for running the ‘Clop’ extortion site. Past cyber attacks have also been attributed to the same group, which is believed to be based in Russia.
The Clop group posted a notice on the dark web warning affected firms to email them before 14 June or that all of the stolen data will be published. The request is unusual when compared to other cyber attacks, in which the attacker usually gets in touch with those who own the compromised information. In this case, it is believed that the group may not be able to keep up with the scale of its attack.
Clop claimed on its leak site that it has deleted any data from government, city or police services as it has “no interest” in exposing that type of information.
How can affected organisations reduce the repercussions?
With the threat of publishing large amounts of private information looming, all affected firms will now be considering the best course of action to limit the damage caused by the attacks, and to avoid a repeat in the future.
Christine Sabino, legal director at law firm Hayes Connor, discussed the dangers of the stolen information and how organisations can minimise the damage caused: “Personal information, even in small fragments like names, dates of birth, or national insurance numbers, can lead to identity theft, resulting in financial losses, and reputational damage.
“However, in this case, where there’s a combination of data shared, the risk is maximised for the employees whose data has been exposed.
“It is clear many of the companies involved are taking the incident very seriously, as communication lines with employees affected have already been quite open. That said, for those affected, this will no doubt be a very stressful time, so seeking the support of experts to help mitigate the damage is advised.
“It is crucial for businesses to implement stringent data security measures and maintain transparency with their customers, partners, and employees. By doing so, organisations can mitigate risks, safeguard sensitive data, and demonstrate their commitment to protecting individuals’ privacy.”
Ofcom is ‘another feather in the cap of the cybercriminals’
However, implementing stringent security measures and abiding by protective policies will not ensure safety in the future. The MOVEit hack highlights hackers’ ability to gain access to information via the use of third-party products and services.
Marijus Briedis, a cybersecurity expert at VPN service provider NordVPN, commented on the hack: “Stealing personal and company data from under the nose of the UK’s media regulator will be another feather in the cap of the cybercriminals behind the MOVEit hack.
“The large scale of the attack and high-profile victims like the BBC, British Airways and Ofcom suggests this was meticulously planned, and the vulnerability of the file-transfer software may have been known by the hackers for several months.
“If, as suspected, they are connected to the Russian-based Clop group, this significant data heist will raise the attackers’ profile within the competitive ransomware-for-hire market that exists on the dark web. It also shows the ongoing risk of supply chain attacks on the UK, with opportunistic hackers looking to prey upon third-party services – in this case, a payroll company using MOVEit – as a path to landing a big fish further down the line.”