Cyber Incident Victim: University of California, Los Angeles

On or around June 27, 2023, the University of California, Los Angeles (UCLA) publicly confirmed it was among the victims of a widespread data breach exploiting a vulnerability in the MOVEit file transfer software. The announcement was made following claims posted by the cybercriminal group known as Cl0p, which had boasted on its website about stealing data from the university. This incident was part of a larger, global campaign affecting scores of corporations, governments, and institutions that utilized the MOVEit application for transferring sensitive information. The breach did not originate from an attack on UCLA's internal campus systems but was a result of the compromise of the third-party MOVEit tool used by the organization.

The MOVEit software is a managed file transfer application developed by Progress Software and is used by organizations worldwide to share large volumes of sensitive data securely. The specific vulnerability exploited by the Cl0p group, designated CVE-2023-34362, was a critical SQL injection flaw in the MOVEit Transfer web application. This vulnerability allowed unauthorized attackers to gain access to the MOVEit database and execute arbitrary commands, effectively permitting them to steal files that organizations had uploaded through the system. The zero-day exploit was identified and publicly disclosed by Progress Software on May 31, 2023, prompting the release of security patches. However, the Cl0p group had been actively exploiting the vulnerability prior to this disclosure.

UCLA's investigation determined that its campus systems and networks remained unaffected by the incident. The compromise was isolated to the specific MOVEit file transfer service used by the university. The university did not publicly disclose the precise number of individuals impacted, the specific types of data exfiltrated, or the total volume of data stolen. The nature of the data typically transferred via such systems at academic institutions often includes personal, financial, and research information. The university stated that all individuals whose data was compromised in the breach had been notified as part of its response protocol.

In its public statement, UCLA did not provide details on the initial detection timeline or the specific internal response actions taken, such as the engagement of third-party forensic experts or law enforcement. The broader context of the incident involved the Federal Bureau of Investigation (FBI), which issued a statement confirming it was aware of and investigating the recent exploitation of the MOVEit vulnerability by malicious ransomware actors. The Cl0p group, a ransomware-as-a-service operation known for double-extortion tactics, typically exfiltrates data before encrypting systems and then threatens to publish the stolen information unless a ransom is paid. In this campaign, they utilized a novel technique by exploiting a zero-day vulnerability in a widely used software rather than deploying traditional ransomware payloads, choosing to focus exclusively on data theft and extortion.

The primary impact of the incident for UCLA was the confirmed compromise of data stored on its MOVEit transfer server. The university’s operational functions, including teaching, research, and administrative activities, were not disrupted as core campus systems were isolated from the breach. The consequence was a compromise of personal information belonging to an undisclosed number of students, faculty, staff, or other affiliated individuals. The financial impact, including potential costs associated with investigation, notification, and offered credit monitoring services, was not quantified in the public statements. The reputational impact was acknowledged through the necessity of a public disclosure confirming the university's status as a victim of a significant global cyber attack.

The university's confirmed response actions included conducting an investigation to determine the scope of the data compromise. This investigation affirmed that no critical campus operations or systems were affected. The key remediation step taken was the notification of all individuals whose data was impacted by the breach. UCLA did not state whether it received a ransom demand from the Cl0p group or if any communication with the threat actors occurred. The broader response to the MOVEit campaign involved a coordinated effort from the cybersecurity community, including the release of patches from the software vendor, alerts from government agencies like the Cybersecurity and Infrastructure Security Agency (CISA), and investigations by international law enforcement.