Cyber Incident Victim: Putnam Investments

A ransomware gang known as Clop began exploiting a critical security vulnerability in the MOVEit Transfer file transfer tool developed by Progress Software in late May 2023. This Russia-linked group had been experimenting with ways to exploit this particular vulnerability for almost two years prior to its public disclosure, indicating a sophisticated level of planning and knowledge. The vulnerability was patched by Progress Software, but not before a significant number of its corporate and enterprise customers were compromised while using the tool to share large files over the internet. The exact number of initial victims remained unknown.

On June 15, 2023, Clop took the unusual step of publicly listing the first batch of organizations it claimed to have hacked on its dark web leak site. This list included Boston-based investment management firm Putnam Investments. The gang did not follow its typical pattern of directly contacting victims to demand a ransom payment. Instead, a blackmail message posted on the site instructed all listed victims to contact the gang prior to a June 14 deadline. At the time of the listing, no stolen data from Putnam Investments or the other named victims had been published. The gang claimed to have downloaded "alot of your data" but provided no specific details regarding the nature or volume of information taken from any single entity.

Other organizations listed alongside Putnam Investments in this first batch included U.S.-based financial services organizations 1st Source and First National Bankers Bank, the Netherlands-based Landal Greenparks, and the U.K.-based energy giant Shell. Financial software provider Datasite, educational non-profit National Student Clearinghouse, student health insurance provider United Healthcare Student Resources, American manufacturer Leggett & Platt, Swiss insurance company ÖKK, and the University System of Georgia were also named. GreenShield Canada, a non-profit benefits carrier, was initially listed but was later removed from the leak site. A spokesperson for the University System of Georgia confirmed they were evaluating the scope and severity of the potential data exposure and stated that notifications would be issued to affected individuals if necessary, consistent with federal and state law.

Multiple other organizations had previously disclosed they were compromised as a result of the same MOVEit attacks prior to Clop's public listing. These included the BBC, Aer Lingus, and British Airways, which were all affected because they relied on HR and payroll software supplier Zellis. Zellis confirmed that its own MOVEit system had been compromised. The Government of Nova Scotia, which used MOVEit to share files across departments, also confirmed it was affected and stated that some citizens’ personal information may have been compromised. In a message on its leak site, Clop claimed it had erased all data belonging to governments, cities, or police services.

New victims continued to come forward following the public listing. Johns Hopkins University confirmed a cybersecurity incident believed to be related to the MOVEit mass-hack, stating the data breach may have impacted sensitive personal and financial information, including names, contact information, and health billing records. The U.K.’s communications regulator, Ofcom, confirmed that hackers had accessed some confidential information about the companies it regulates, along with the personal information of 412 Ofcom employees. Transport for London (TfL), the government body responsible for running London’s transport services, and global consultancy firm Ernst and Young were also reported to be impacted. Many more victims were expected to be revealed in the coming days and weeks, with thousands of MOVEit servers—most located in the United States—still discoverable on the internet at the time. The full extent of the attacks remained unknown.