Cyber Incident Victim: Agilysys
Date:
May 2023
Location:
United States of America
Summary
Agilysys, a hospitality software vendor, was among the numerous organizations compromised in the Clop ransomware group's widespread attack exploiting a zero-day vulnerability in MOVEit file transfer software. The incident was part of a large-scale data theft spree that affected over 500 organizations and millions of individuals. Agilysys was publicly named by the threat actors after data was stolen from its MOVEit server.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Clop ransomware group exploited a zero-day vulnerability in Progress Software's MOVEit managed file transfer software beginning around May 29 and May 30, 2023. The timing of the attack appeared to be coordinated to take advantage of the Memorial Day holiday weekend in the United States. Progress Software patched the flaw on May 31 and issued a security alert warning its customers to immediately update their software. The attack was a data-grabbing spree in which the threat actors exfiltrated data from the file transfer servers of numerous organizations that used the software.
Hospitality software vendor Agilysys was among the many organizations affected by this widespread attack. In recent days following the initial exploitation, the Clop group added approximately 70 new organizations to its data leak site, and Agilysys was named among them. This public listing indicated that the company was a victim of the attack campaign and had likely experienced a data loss incident. The specific method of compromise for Agilysys was the exploitation of the MOVEit vulnerability, as was the case for all organizations named by Clop in this particular wave of attacks.
The scope of the incident was vast, extending far beyond Agilysys. By June 27, 2023, at least 516 organizations were reported to have been directly or indirectly affected by the Clop group's MOVEit attacks. The total number of individuals impacted was estimated to be at least 36 million, based on data breach notifications issued by approximately one-fifth of the victim organizations that had provided a count. A significant number of the affected organizations were service providers, meaning that when Clop stole data from their MOVEit servers, it obtained data belonging to many of their clients and customers, amplifying the breach's consequences.
The sector most affected was the United States, with 73% of the known victims being U.S.-based organizations. The financial services, professional services, and education sectors accounted for the greatest number of known incidents. Specific victims included U.S. government contractor Maximus, AmeriSave Mortgage Corp., the College of American Pathologists, software development firm Informatica, consultancy giant Deloitte, Johns Hopkins Health System, and the Chuck E. Cheese restaurant chain. The attack on Maximus represented one of the largest single breaches, with the exfiltration of 169 gigabytes of data affecting an estimated 8 million to 11 million individuals. The company reported that the leaked information included health data and Social Security numbers.
In response to the breach, Maximus promptly commenced an investigation following the May 31 security alert from Progress Software. The company hired third-party digital forensic investigators to conduct a probe. Based on the review of impacted files, Maximus determined the files contained highly sensitive personal information. The company estimated it would spend $15 million on its response efforts, which included sending out millions of data breach notifications and offering affected individuals prepaid credit monitoring and identity theft protection services.
Another significant service provider victim was Pension Benefit Information Research Services, also known as PBI. The breach of PBI's MOVEit server had a cascading effect, leading to a long and growing list of its financial services customers having to issue their own data breach notifications. These notifications informed individuals that their names and Social Security numbers had been stolen. Specific PBI customers issuing large notifications included Teachers Insurance and Annuity Association of America, which notified 2,373,076 individuals; Corebridge Financial, which notified 798,000 individuals; Talcott Resolution Life Insurance, which notified 557,741 individuals; and Aurora National Life Assurance Co., which notified 48,457 individuals.
Other organizations were still investigating the full scope of their intrusions at the time of reporting. The National Student Clearinghouse, which works with over 3,500 colleges and universities and holds data on 17.1 million current postsecondary students, had not yet detailed how many individuals might be affected by the breach of its systems. The Clop group claimed on its data leak site that it had deleted any data it stole pertaining to government entities, suggesting it did not attempt to extort those specific victims. The total number of organizations hit or that may have paid a ransom to avoid being named publicly remained unclear. Security experts estimated the ransomware group may have gained $75 million or more by extorting large victims while listing others. The incident continued to develop as more organizations completed their investigations and issued notifications to affected individuals.