Cyber Incident Victim: PwC Australia
Date:
May 2023
Location:
Australia
Summary
PwC Australia was impacted by a global cybersecurity incident involving the MOVEit file transfer service, which was exploited by the Cl0p cybercrime group. The breach affected a limited number of the firm's clients who used the platform. PwC stated its own internal IT network remained secure and was not compromised. The company immediately stopped using the software upon discovery, initiated an investigation, and notified affected clients. A ransom demand was issued by the attackers, but PwC declined to comment on it.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around late May 2023, Russian-linked cybercriminals known as Cl0p executed a global cybersecurity breach by exploiting a vulnerability in the widely used file-sharing software MOVEit, which is produced by the American firm Progress. This incident constitutes a supply chain attack, targeting the third-party service used by numerous organizations to transfer data. The Cl0p group began stealing data from a range of entities, including US federal agencies, energy giant Shell, and the BBC. The group issued a ransom demand to victim companies, instructing them to pay or have their files released publicly on the dark web. This threat was posted in early June with a stated deadline of June 14 for compliance.
PwC Australia was among the hundreds of organizations impacted by this global breach. The firm confirmed on May 31, 2023, that it had used the MOVEit software for a limited number of its clients. Upon becoming aware of the incident, PwC Australia immediately stopped using the MOVEit platform. The company launched an investigation to determine the scope of the impact and initiated communications with those clients whose files were potentially exposed through the compromised service. A PwC spokesman stated that the firm’s own internal IT networks and systems remained secure and were not compromised in the attack. The spokesman declined to comment on whether Cl0p’s ransom demand was directed at PwC or if any payment was considered.
The incident added to significant existing reputational challenges for PwC Australia, which was concurrently managing fallout from an unrelated matter referred to as the Collins tax scandal. Despite this, the firm publicly emphasized that data security was a key priority and asserted that it continued to allocate the necessary resources and safeguards to protect its network. PwC Australia markets itself as a cybersecurity advisor to other companies, promoting its expertise in helping to prevent and address breaches.
Another major consultancy, EY, was also affected by the same MOVEit breach. An EY spokeswoman stated the firm learned of the vulnerability on May 31, 2023, when Progress confirmed the issue. EY immediately launched an investigation into its own use of the MOVEit tool and took urgent steps to safeguard any data that might be at risk. The investigation found that most of EY’s systems using the transfer service were not compromised; however, the firm was conducting a manual investigation to identify any instances where data may have been accessed. EY was also communicating with its customers and relevant authorities throughout the process. Similar to PwC, EY declined to comment on the ransom demand from Cl0p.
The software vendor, Progress, responded to the discovery of the vulnerability by patching it within a 48-hour period. The company also provided aid to its affected clients and enlisted some of the world’s top cybersecurity firms to assist in the response effort. The breach’s impact was not limited to the private sector. The Australian Securities and Investments Commission (ASIC) confirmed it used the MOVEit service but stated it had immediately secured the service upon learning of the vulnerability. An ASIC spokesman expressed satisfaction that no information had been compromised at any stage.
The Australian government, through a spokesman for Cyber Security Minister Clare O’Neil, acknowledged awareness of the MOVEit hack and stated it was ready to assist any Australian interests involved. The scale of the breach led cybersecurity experts to anticipate further Australian victims would be identified. Katherine Mansted, intelligence director at digital security firm CyberCX, described MOVEit as part of the invisible digital infrastructure used by governments and companies to transfer information, making widespread impact likely. This incident was part of a pattern of activity for the Cl0p group, which had executed two other global attacks in the preceding three years. Earlier in 2023, the same group had accessed data from mining giant Rio Tinto and Crown Resorts through another third-party file transfer service called GoAnywhere.