Cyber Incident Victim: Gen Digital

On or around June 21, 2023, the cybersecurity company Gen, owner of brands including Norton, Avast, LifeLock, Avira, AVG, ReputationDefender, and CCleaner, confirmed a security incident involving its employee data. The breach was the result of malicious actors exploiting vulnerabilities in the MOVEit file transfer tool, a third-party application used by Gen employees for file transfers. The company discovered the malicious activity and immediately initiated an investigation into the scope of the issue. According to a company spokesperson, the incident had no impact on Gen's internal IT systems, its commercial services, or any customer information. The impact was confined to the personal information of Gen employees and contingent workers.

The investigation determined that the accessed data included information such as employee names, company email addresses, and employee ID numbers. In a more limited number of cases, the compromised information also included home addresses and dates of birth. Following its investigation to determine the scope, Gen notified the relevant data protection authorities in accordance with regulations. The company also directly notified its employees and contingent workers whose data may have been impacted by the intrusion. This incident represented the second cybersecurity event to affect the company within the year, following a prior credential stuffing incident that resulted in 925,000 active and inactive Norton accounts being locked down.

Gen was not the only organization to announce a breach related to the MOVEit software vulnerabilities during this period. The Clop ransomware group claimed responsibility for a wide array of attacks exploiting these vulnerabilities and began publicly naming its victims. One such named victim was the University of Missouri, a spokesperson for which confirmed the school was investigating a security breach. The Metro Vancouver Transit Police also published a statement confirming that hackers had accessed 186 files that had been transferred using their MOVEit instance. The police agency stated that the hackers never gained access to its internal network and that an investigation into the incident was being led by the Royal Canadian Mounted Police. The agency was still examining the contents of the compromised files to determine the exact nature of the data exposed.

At the state government level in the United States, the Colorado Department of Health Care Policy & Financing confirmed it was investigating a MOVEit incident involving the data of state residents. The department stated that early analysis indicated it was reasonable to believe the personal identifiable information of individuals served by Health First Colorado, the state's Medicaid program, and Child Health Plan Plus (CHP+) could have been impacted. This potential impact extended to anyone who had applied for or been covered by these safety net health coverage programs anytime since 2015. The department announced that as soon as the specifics and extent of the impact were determined, it would directly notify affected individuals. Concurrently, the department's experts were working with the national third-party vendor to address the cybersecurity intrusion with the goal of preventing any further data file compromises.

The widespread exploitation of vulnerabilities in the MOVEit file transfer tool, developed by Progress Software, began approximately three weeks prior to these announcements. The controversy expanded significantly as new victims were identified. By June 21, at least three U.S. federal agencies—the Department of Energy, the Department of Agriculture, and the Office of Personnel Management—were confirmed to have been affected. The Director of the Cybersecurity and Infrastructure Security Agency (CISA), Jen Easterly, publicly stated that "several" federal agencies were impacted but did not provide a specific number. The list of affected organizations extended beyond government bodies to include major corporations and institutions across multiple countries.

Other U.S. entities impacted included state-level agencies in Illinois, Missouri, Minnesota, Oregon, and Louisiana. The private sector was also heavily impacted, with oil giant Shell confirming it was affected. In the education sector, schools such as Johns Hopkins University, the University of Georgia, and the University of Rochester were named as victims. Internationally, Canadian government bodies in Nova Scotia and numerous organizations in the United Kingdom fell victim to the same campaign. Affected U.K. organizations included communications regulator Ofcom, the BBC, British Airways, Irish carrier Aer Lingus, and pharmacy chain Boots. The sheer scale of the attacks demonstrated the broad use of the MOVEit application and the severe consequences of the vulnerabilities within it.

In response to the discovered exploits, Progress Software, the company behind MOVEit, announced two new vulnerabilities in the product that required urgent remediation. The company provided patches and guidance to its customers to secure their instances of the software against further attack. The legal and financial repercussions of the incident began to materialize, as Progress Software faced a federal class action lawsuit over its handling of the vulnerabilities and the subsequent widespread data breaches. The lawsuit, reported by Bloomberg News, alleged failures in the company's security practices and its disclosure of the flaws. For victims like Gen, the primary response actions involved internal investigation, notification of authorities and affected individuals, and an assessment of the data exfiltrated. The overall response across all sectors highlighted a coordinated effort to contain the immediate threat through patching and to manage the fallout from the mass data theft that had already occurred.