Cyber Incident Victim: AMC Theatres

On June 1, 2023, IT personnel at American Multi-Cinema, Inc. (AMC Theatres) learned of a zero-day vulnerability within the MOVEit file-transfer application utilized by the company. Upon this discovery, the company immediately initiated its response protocol. The initial steps involved identifying, disconnecting, and remediating the specific network asset that was affected by this vulnerability. Concurrently, AMC engaged outside cybersecurity experts to assist with and undertake a formal investigation into the incident. This external investigation was crucial for determining the scope, impact, and timeline of the unauthorized access.

Based on the findings of the investigation, it was determined that the security incident lasted from May 28, 2023, to June 1, 2023. During this period, it is believed that an unauthorized actor potentially gained access to certain files containing personal information. The incident was part of a broader wave of attacks exploiting the same MOVEit vulnerability across numerous organizations. Once the affected data was identified, AMC promptly engaged a specialized data-review firm to conduct a thorough analysis of the files to determine exactly what types of personal information were contained within them. The company received the results of this detailed data review on June 23, 2023.

Following the receipt of the data review findings, AMC began the process of identifying the individuals whose information was present in the affected files and obtaining their correct mailing addresses. The investigation determined that the types of personal information potentially impacted included names and other sensitive data, though the specific data elements were not detailed in the public notification. The company confirmed that the incident affected a limited number of individuals, with specific figures provided to certain state authorities; for example, the incident involved the personal information of 12 residents of New Hampshire and 3 residents of Rhode Island.

Individual written notification letters were mailed to all affected individuals on July 13, 2023. These letters provided a detailed chronology of the event and outlined the actions taken by AMC in response. The notice clarified that while there was no evidence of identity theft or fraud involving the compromised data at the time of notification, the company was offering a complimentary one-year membership to Experian's IdentityWorks credit monitoring and identity theft protection service to all impacted individuals. The notice included specific instructions for enrollment, including an activation code and a deadline by which to enroll.

In its technical response, AMC applied all security patches supplied by Progress Software, the creator of the MOVEit application, to remediate the zero-day vulnerability that had been exploited. The company also emphasized that it had hired third-party experts not only to investigate the unauthorized activity but also to further secure its systems to protect the personal and other data stored on them moving forward. The notification letter was not delayed as a result of a law enforcement investigation, indicating that the company proceeded with its consumer notification process as soon as its internal review was complete.

The incident had operational impacts, necessitating the immediate disconnection of a critical file-transfer system to contain the breach. The response effort required significant resources, including engaging multiple external firms for forensic investigation, data analysis, and enhanced cybersecurity measures. The financial impact included the costs associated with these external experts, the credit monitoring services offered to victims, and the administrative overhead of managing the notification process across multiple states.

The regulatory impact involved complying with data breach notification laws across various U.S. jurisdictions. AMC provided formal notice to the Attorneys General of several states, including New Hampshire and Rhode Island, detailing the number of affected residents within each state and describing the nature of the incident. The company’s correspondence to the New Hampshire Attorney General, dated July 14, 2023, served as an official submission under that state’s security breach notification statutes. The consumer notification letters also included specific contact information and guidance for residents of Maryland, North Carolina, New York, Washington D.C., and Rhode Island, as required by those jurisdictions' laws.

For the affected individuals, the primary consequence was the potential exposure of their personal information, which carried a risk of future misuse. While no fraudulent use was confirmed at the time of notification, the potential for identity theft necessitated the offering of credit monitoring services and prompted the company to provide detailed recommendations on how individuals could protect themselves. These recommendations included advising victims to remain vigilant by reviewing their account statements and credit reports, considering the placement of fraud alerts or security freezes on their credit files, and knowing how to report suspicious activity to relevant authorities such as the Federal Trade Commission and their state Attorney General.

The company’s response was methodical and followed a clear sequence of detection, containment, investigation, analysis, notification, and remediation. The initial detection occurred on June 1, which triggered the immediate containment action of disconnecting the affected system. The investigation then worked to establish the timeline of May 28 to June 1. The subsequent data analysis took from early June until June 23 to complete. The identification of affected individuals and their addresses occurred between June 23 and the mailing of notices on July 13. The final technical step was the application of all available patches from the software vendor to prevent a recurrence of the incident. This entire process was communicated transparently to the affected individuals and the relevant regulatory bodies.