MOVEit carnage continues with over 2600 organizations and 77M people impacted so far

About 2,620 organizations and 77.2 million people have been impacted by the hacking of file transfer service MOVEit since May earlier this year, according to New Zealand-based cybersecurity firm Emsisoft. Russian-linked ransomware group Clop had claimed responsibility for the attack on June 6.

US-based organizations are the worst impacted, with 78.1% of the affected organizations from the country. It was followed by Canada with 14%, Germany with 1.4%, and the UK with 0.8% of the affected organizations, according to Emsisoft.

Most of the impacted organizations are from the education sector, with 40.6% coming from this segment, followed by health (19.2%) and finance and professional services (12.1%). The findings by Emsisoft are based on data from public disclosures, SEC filings, state breach notifications, and Clop's website.

The severity of the cyberattack can be gauged by the fact that it impacted the customer records of antivirus major Gen Digital, the parent company of Norton and Avast.

Avast revealed that some of its customers' "low-risk customer personal information" was compromised. As per the Emsisoft report, the MOVEit incident affected the data of three million of Avast's individual customers.

MOVEit impacted several prominent businesses as well as government organizations. Maximus, Louisiana Office of Motor Vehicles, Alogent, Colorado Department of Health Care Policy and Financing, Welltok, US Department of Energy, Shell Oil, British Airways, State of Maine, Genworth, and Oregon Department of Transportation are some of the other organizations impacted by the MOVEit incident.

Progress Software issued a patch for a vulnerability on May 31, followed by second and third patches on June 9 and June 15, respectively.

Growing security threat

MOVEit has emerged as a major security incident with long-term ramifications for the affected companies and their customers. It puts the spotlight on the challenges faced by organizations in protecting their data.

Because of the security incident, Progress Software Corporation, owner of the MOVEit platform, now faces an investigation from the US Securities and Exchange Corporation (SEC). Besides, it faces a class action lawsuit by Hagens Berman, a consumer-rights law firm. Several affected organizations and people are seeking compensation for the damage.

As the frequency and intensity of cyberattacks and data breaches continue to rise in all geographies every year, it is becoming tougher for businesses to protect their data. As per a recent IBM report, the average cost of a data breach touched an all-time high in 2023 of $4.45 million, which represents an increase of 2.3% from 2022. In addition, the IBM report says the average cost per record involved in a data breach is $165 in 2023.

Another revelation of the MOVEit incident is that organizations must make an effort to ensure their supply chain’s safety and not just internal security, considering that several impacted organizations were not the direct users of MOVEit.