Cyber Incident Victim: WSP Global Inc.
Date:
Jun 2022
Location:
Canada
Summary
A subsidiary of engineering firm WSP experienced unauthorized data access as part of the widespread Cl0p ransomware group's exploitation of vulnerabilities in the MOVEit secure file transfer platform. The breach resulted in theft of a limited volume of non-sensitive corporate information, with the organization confirming no personal or confidential data was compromised. This incident occurred alongside numerous other global victims impacted through third-party service providers using MOVEit, though WSP's internal systems remained unaffected. The attackers exfiltrated data including institutional records but excluded private individual details according to company statements.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The incident involving WSP subsidiary occurred within the broader context of the global MOVEit file transfer software breach orchestrated by the Cl0p ransomware group in June 2022. Attackers exploited a zero-day vulnerability in the MOVEit secure file transfer platform, which was widely used by organizations to share sensitive data. This vulnerability allowed unauthorized access to data stored on MOVEit servers, leading to mass data exfiltration affecting over 60 million individuals worldwide according to cybersecurity firm Emsisoft. The breach remained undetected for weeks, with Cl0p operators gradually exfiltrating data from multiple organizations through compromised MOVEit instances. Among the affected entities was a subsidiary of WSP Global Inc., the Montreal-based engineering professional services firm.
WSP's subsidiary experienced theft of "a small quantity of information" according to Sandy Vassiadis, Global Chief Communications Officer, who confirmed the breach in August 2023. The compromised data specifically excluded personal information and sensitive corporate data based on the company's internal investigation. Unlike other victims such as the Quebec Construction Commission (CCQ) and insurance provider Beneva, WSP's breach did not involve financial records, health claims, or personally identifiable information beyond potentially basic organizational data. The company did not implement credit monitoring services for affected parties, contrasting with responses from other breached organizations, as the nature of stolen data didn't warrant such measures. The incident formed part of a wider pattern affecting multiple Canadian entities including government agencies, healthcare providers, and professional services firms that relied on MOVEit for secure data transfers. Vassiadis's August statement represented WSP's primary public communication regarding the breach, emphasizing the limited scope compared to more severe cases involving sensitive personal or health data. The company maintained that its core systems remained uncompromised throughout the incident.