Cyber Incident Victim: MeridianLink
Date:
Nov 2023
Location:
United States of America
Summary
A cybersecurity incident involved unauthorized access to a non-privileged user account at MeridianLink, which was promptly contained. The company's investigation found no evidence of threat actor access to production platforms, networks, databases, or customer systems, nor deployment of ransomware or malware. Fewer than 75 consumers' personally identifiable information was impacted, with notifications underway. The ALPHV/BlackCat ransomware group claimed responsibility for data theft without encryption and filed an SEC complaint alleging non-disclosure, though relevant reporting rules were not yet in effect. The event caused minimal business disruption, and the organization continues collaborating with experts to enhance security measures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
MeridianLink detected unauthorized access to a non-privileged user account on November 10, 2023, following an initial cybersecurity incident discovery. The company promptly removed the threat actor’s access and initiated an investigation involving internal security teams, external cybersecurity experts, and law enforcement. Forensic analysis confirmed the attacker did not access MeridianLink’s networks, servers, databases, integrations, customer product platforms, or deploy ransomware or malware. Concurrently, the ALPHV/BlackCat ransomware gang claimed responsibility for breaching MeridianLink on November 7, alleging data theft without system encryption. The group listed MeridianLink on its leak site on November 15, threatening to publish stolen data unless a ransom was paid within 24 hours. ALPHV escalated pressure by filing a U.S. Securities and Exchange Commission (SEC) complaint alleging MeridianLink violated breach disclosure rules under Form 8-K Item 1.05, though the SEC’s new four-day disclosure requirement was not yet effective until December 15, 2023. MeridianLink publicly stated the incident caused minimal business interruption and involved no production platform compromises, while continuing to assess potential consumer data exposure.
By December 5, MeridianLink concluded its investigation, confirming fewer than 75 consumers’ personally identifiable information (PII) was involved. The company notified affected customers and maintained no evidence of broader unauthorized access to operational systems or critical infrastructure. ALPHV’s SEC complaint included a submission receipt screenshot but yielded no regulatory action due to the premature timing of the rule’s enforcement. MeridianLink’s response emphasized collaboration with third-party experts to strengthen security defenses and uphold its existing information security program. The threat actor’s extortion attempts did not disrupt MeridianLink’s services or compromise integrations, databases, or financial platforms. No ransomware deployment or secondary attacks occurred following the initial account breach containment. The incident remained isolated to limited data exfiltration from a single non-privileged account, with no further malicious activity detected post-mitigation.