Cyber Incident Victim: Chuck E. Cheese's

The Clop ransomware group exploited a zero-day vulnerability in Progress Software's MOVEit managed file transfer application beginning on or around May 29 and May 30, 2023. The timing of this attack spree was strategically chosen to coincide with the U.S. Memorial Day holiday weekend, potentially to take advantage of reduced security staffing. The vulnerability allowed the threat actors to conduct data-grabbing attacks against users of the software. Progress Software became aware of the flaw and issued a patch on May 31, alongside a security alert urging all MOVEit customers to immediately update their software to the latest version to mitigate the threat.

The incident impacted a vast number of organizations globally. By late June 2023, the number of organizations directly or indirectly affected had surpassed 515. Security firm Emsisoft reported that at least 36 million individuals had been affected, a figure based on data breach notifications that included a victim count from approximately one-fifth of the known victims. A significant majority, 73 percent, of the known victim organizations were based in the United States. The sectors most heavily impacted included financial services, professional services, and education. The attacks affected at least 109 U.S. schools and 23 U.S. public sector organizations, in addition to 31 public sector organizations located outside the United States.

The threat actors, identified as the Russian-speaking Clop cybercrime gang, added victim organizations to their data leak site as part of their extortion strategy. In the days leading up to June 27, the group added 70 new organizations to this site. These recently posted victims included a diverse range of entities such as U.S. government contractor Maximus, AmeriSave Mortgage Corporation, hospitality software vendor Agilysys, the College of American Pathologists, software development firm Informatica, consultancy giant Deloitte, the Johns Hopkins Health System, and the family restaurant chain Chuck E. Cheese. The gang claimed on its leak site to have deleted any stolen data pertaining to government entities, suggesting it did not attempt to extort those specific organizations. Security experts estimated that the ransomware group may have garnered $75 million or more in ransom payments by targeting a few large victims while exposing the data of many others.

The attack on Maximus represented one of the largest individual breaches stemming from this campaign. The company, a major government contractor providing health and human services, reported that 169 gigabytes of data were exfiltrated. In a filing with the U.S. Securities and Exchange Commission, Maximus stated it used MOVEit for internal and external file sharing, including sharing data with government customers pertaining to individuals participating in various government programs. The company promptly commenced an investigation following the May 31 security alert from Progress Software. The subsequent probe by third-party digital forensic investigators concluded that the impacted files contained personal information, including Social Security numbers, protected health information, and other personal data belonging to at least 8 million to 11 million individuals. Maximus estimated it would spend approximately $15 million in response to the incident, which included the cost of sending out millions of data breach notifications and offering affected individuals prepaid credit monitoring and identity theft protection services.

A defining characteristic of this incident was the significant impact on service providers, which acted as force multipliers for the attack's consequences. When Clop compromised a service provider's MOVEit server, it obtained data belonging to all of that provider's clients. One such service provider was Pension Benefit Information Research Services, also known as PBI Research Services. PBI assists financial services firms in meeting regulatory obligations, such as identifying deceased policyholders and notifying beneficiaries. The breach of PBI's systems led to a long and growing list of its customers being forced to issue their own data breach notifications. Notable examples of PBI customers disclosing impacts include the Teachers Insurance and Annuity Association of America, which notified 2,373,076 individuals; Corebridge Financial, which notified 798,000 individuals; Talcott Resolution Life Insurance, which notified 557,741 individuals; and Aurora National Life Assurance Company, which notified 48,457 individuals. The stolen data from these entities typically included customer names and Social Security numbers.

Other service providers were still investigating the full scope of their intrusions at the time of reporting. The National Student Clearinghouse, which works with over 3,500 colleges and universities and holds data on 17.1 million current postsecondary students in addition to historical records, was one such organization. It had not yet determined or publicly detailed how many individuals might be affected by the compromise of its MOVEit system. The widespread and cascading nature of these breaches through third-party service providers significantly expanded the total number of affected individuals and organizations far beyond those that directly operated the vulnerable MOVEit software. The incident demonstrated the severe supply chain risk posed by vulnerabilities in software that is widely used for sensitive data transfers between organizations.