Cyber Incident Victim: Ernst & Young

On or around June 15, 2023, the media watchdog Ofcom confirmed it was a victim of a cyber-attack by hackers linked to a notorious Russian ransomware group. The attack was part of a mass hack that exploited a security flaw in software called MOVEit Transfer, a tool designed by Progress Software to move sensitive files securely. The incident is classified as a supply-chain attack, impacting organizations both directly using the software and indirectly through third-party service providers. Confidential data about some companies regulated by Ofcom, along with personal information of 412 Ofcom employees, was downloaded during the attack. Ofcom stated that none of its own internal systems were compromised and that no payroll data was part of the breach. The organization took immediate action upon discovery, preventing further use of the MOVEit service and implementing recommended security measures. It swiftly alerted all affected companies it regulates and referred the incident to the Information Commissioner's Office (ICO), while also offering support to its impacted colleagues.

Accountancy firm Ernst & Young (EY) also confirmed it was a victim of the same mass hack. Upon becoming aware of the problem with the MOVEit software, the firm immediately launched an investigation into its use of the tool and took urgent steps to safeguard any data that might have been at risk. EY reported that the vast majority of its systems which utilized the MOVEit software were unaffected by the breach. However, the firm acknowledged it was manually and thoroughly investigating specific systems where data may have been accessed. EY's stated priority was to first communicate with those individuals impacted by the incident, as well as to notify the relevant authorities. The firm characterized its investigation as ongoing at the time of the report.

The initial disclosure of the vulnerability came from the US-based company Progress Software, which announced that hackers had found a way to break into its MOVEit Transfer tool. The criminals responsible for exploiting this flaw are linked to the Clop ransomware group, which is thought to be based in Russia. This group is well-known for carrying out its threats and has a history of publishing stolen data on its darknet website. In this incident, the group issued threats to begin publishing data belonging to companies that did not email them to initiate negotiations by a specified Wednesday. It is a common occurrence for victims who do not appear on the group's website to have secretly paid a ransom, often demanded in hundreds of thousands or even millions of dollars worth of Bitcoin. Victims are universally encouraged not to pay such ransoms, as it fuels criminal enterprise and offers no guarantee that the stolen data will not be used for secondary attacks.

The scope of the mass hack extended far beyond Ofcom and EY, affecting a significant number of firms. The breach impacted British Airways, the BBC, Boots, and Transport for London (TfL), among others. TfL reported that one of its contractors had suffered a data breach related to the MOVEit exploit. The transport authority stated the issue had been fixed and its IT systems secured, noting the compromised data did not include banking details. TfL also confirmed it was writing to all affected individuals and had informed the ICO. Importantly, the breach did not relate to any passenger data. For the BBC and other companies like Aer Lingus, the compromise occurred through their payroll processor, Zellis, which used the vulnerable MOVEit software. It is understood that eight companies using Zellis were affected, and dozens of other UK companies were thought to be using MOVEit directly, making them potential targets.

The primary impact of the incident was the exfiltration of sensitive personal and corporate information. For employees of the affected organizations, this included the theft of personal details such as addresses. The download of confidential information pertaining to companies regulated by Ofcom represented a significant compromise of corporate data. The response from victim organizations followed a similar pattern of immediate containment actions, including discontinuing the use of the compromised MOVEit service, applying recommended security patches, and launching internal investigations. Notification procedures were a critical component of the response, with companies alerting affected individuals, business partners, and regulatory bodies like the ICO. The long-term consequence of the attack was the looming threat of data publication by the Clop group, creating reputational damage and potential financial harm for the victims, regardless of whether a ransom was paid. The incident highlighted the systemic risk posed by supply-chain attacks targeting a single, widely used software product to gain access to a multitude of organizations across different sectors.