Cyber Incident Victim: Superannuation Arrangements of the University of London

The Clop ransomware group exploited a zero-day vulnerability, designated CVE-2023-34362, in Progress Software’s MOVEit file transfer application. The majority of the attack activity was launched on May 27 and May 28, 2023, a timing that coincided with the Memorial Day holiday weekend in the United States. This campaign involved data exfiltration but did not deploy crypto-locking ransomware, a tactic consistent with the group’s prior attack targeting the GoAnywhere file transfer software earlier in the year. Progress Software first released patches for supported versions of MOVEit on May 31, 2023, to address the vulnerability that had been actively exploited.

The Superannuation Arrangements of the University of London, known as SAUL, was identified as a victim of this campaign. SAUL, a pension scheme providing services to more than 50 universities, began informing its members on or around Friday, June 23, 2023, that their personal details had been exposed. The organization has more than 68,000 members. The specific number of individuals impacted at SAUL and the exact types of personal information stolen were not publicly disclosed in the immediate aftermath.

The incident was part of a much broader supply chain attack that ultimately affected over 130 organizations globally. Other prominent victims included the New York City Department of Education, where attackers stole data pertaining to approximately 45,000 students, staff, and service providers, including 9,000 Social Security numbers. The University of California, Los Angeles (UCLA) also fell victim, confirming it used MOVEit Transfer to transfer files across campus and to other entities. UCLA discovered the attack on June 1, launched an investigation, and proceeded to notify all impacted individuals.

The attack had significant downstream effects through service providers. PBI Research Services, which assists financial services firms, was compromised, leading to the theft of data it stored on behalf of its customers. This resulted in separate breach notifications from multiple PBI customers. Genworth Financial reported that personal information for up to 2.7 million of its customers and agents was stolen from PBI. The California Public Employees' Retirement System (CalPERS) reported that nearly 770,000 members' personal information had been stolen from PBI. Wilton Reassurance Co. reported a breach affecting 1.5 million customers, including their Social Security numbers.

Other known victims spanned numerous sectors and included oil and gas giant Shell, U.S. financial services firms 1st Source and First National Bankers Bank, The Boston Globe, the government of the Canadian province Nova Scotia, the U.K. media watchdog Ofcom, and the British payroll provider Zellis. The compromise of Zellis subsequently impacted eight of its customers, including the BBC, the Boots pharmacy chain, and British Airways. Multiple U.S. government agencies were also affected, including the Department of Energy.

The Clop group claimed responsibility for the attacks and used its data leak site to list victim organizations and pressure them into paying a ransom. The group stated on its site, "We leak names slowly to give big companies time to contact us." In a notable departure from typical ransomware behavior, Clop claimed it had deleted government data stolen from 30 organizations as part of this campaign, asserting a purely financial rather than political agenda. The group’s statements, however, could not be independently verified, and the possibility remained that data of interest could have been sold to foreign intelligence services prior to any claimed deletion.

The legal and regulatory consequences of the widespread attack began to materialize quickly. A group of Louisiana residents, whose personal information was exposed in the breach of the state’s Office of Motor Vehicles, filed a lawsuit against Progress Software in federal court seeking class action status. The lawsuit alleged negligence in the software company's security practices.

The incident response involved coordinated efforts from numerous entities. Victim organizations launched internal investigations upon discovery, engaged external cybersecurity experts, and began the process of notifying affected individuals and regulatory bodies as required by law. Many, including the New York City Department of Education and UCLA, offered impacted individuals access to identity monitoring services. Law enforcement agencies, including the FBI and the New York Police Department, opened investigations into the attacks.

The scope of the incident continued to evolve as more organizations completed their forensic investigations. The cybersecurity research firm KonBriefing reported that at least 131 organizations had been affected as of June 28, 2023. Progress Software continued its response by patching two additional zero-day vulnerabilities in MOVEit on June 15, though these later flaws did not appear to have been exploited by attackers. The widespread exploitation of a single vulnerability in a widely used file transfer tool demonstrated the significant impact of supply chain attacks on organizations and the personal data of millions of individuals globally.