Cyber Incident Victim: Radius Global Solutions LLC
Date:
May 2023
Location:
United States of America
Summary
Radius Global Solutions experienced a data breach involving unauthorized access to its MOVEit file transfer application due to a third-party vulnerability exploited by cybercriminals. The incident compromised sensitive personal information including names, Social Security numbers, dates of birth, and health-related details such as treatment codes and payment histories. Over 640,000 individuals were affected across multiple notifications, with the breach occurring during a two-day period and discovered months later. The company initiated an investigation, notified impacted parties, and offered complimentary credit monitoring and identity theft restoration services for 24 months through a third-party provider.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 31, 2023, Radius Global Solutions LLC, a financial services provider based in Edina, Minnesota, disclosed a cybersecurity incident stemming from a vulnerability in the MOVEit Transfer web application exploited by cybercriminals. The breach occurred between May 29 and May 30, 2023, though Radius became aware of the MOVEit vulnerability on June 1, 2023. The company immediately initiated an investigation into its MOVEit database to assess security compromises and identify unauthorized access to documents. Forensic analysis revealed that attackers exfiltrated files containing sensitive personal information, including names, dates of birth, Social Security numbers, patient treatment codes, treatment locations, treatment payment histories, and health insurance provider details. Radius confirmed the breach impacted individuals associated with its business clients, primarily involving data processed during past or ongoing collection efforts.
Radius Global Solutions discovered the full scope of compromised data on August 2, 2023, prompting a multi-phase notification process. Initial breach notifications mailed on September 1, 2023, covered 9,979 affected individuals nationwide, including one Maine resident. A subsequent supplemental notification from September 12–15, 2023, expanded the confirmed impact to 632,204 individuals, including 996 Maine residents, after further review identified additional compromised files. The company collaborated with clients to notify impacted individuals and provided written notices detailing the event, its consequences, and remediation offers. Radius implemented patches and security measures for its MOVEit database and engaged Kroll to deliver 24 months of complimentary credit monitoring and identity theft restoration services to affected persons. Regulatory filings with the Maine Attorney General’s Office confirmed the breach resulted from an external system breach (hacking) and complied with state reporting requirements, including notifying consumer reporting agencies due to the scale of Maine resident exposures. No evidence suggested misuse of the data, though Radius advised vigilance in monitoring financial accounts and credit reports. The incident reflected broader exploitation of the MOVEit vulnerability affecting thousands of organizations globally, with Radius attributing no operational disruptions to the event beyond data exposure.