Cyber Incident Victim: AvidXchange

In early April 2023, payment software company AvidXchange detected that some of its systems and data had been affected by a cybersecurity incident. The company, which provides cloud-based software to automate invoice processing and payment management, initiated an investigation into the event. This investigation confirmed that data had been exfiltrated from these affected systems. The ransomware group known as RansomHouse subsequently claimed responsibility for the attack. The group published a message on its dark web leak site addressed to AvidXchange, strongly recommending the company contact them to prevent the leaking of confidential data and documents. A sample of the stolen data was reviewed and found to include a wide array of sensitive corporate information.

The published data sample included non-disclosure agreements, internal employee payroll information, and corporate bank account numbers. Furthermore, the leak contained extensive login details for a variety of the company’s systems. These credentials included usernames, passwords, and in some instances, answers to security questions. The compromised systems ranged from cloud accounts and security software to smart door locks and surveillance cameras. Documentation within the leak suggested that many of these passwords were easily guessable, often using derivations of the company’s name or the word “password” itself. Notes accompanying the data indicated that a significant number of these login credentials were potentially still in active use at the time of the breach.

This incident marked the second time AvidXchange had fallen victim to a ransomware attack within the first four months of 2023. Just weeks prior, the company had confirmed it was among the approximately 130 victims of a mass-hack targeting Fortra's GoAnywhere managed file transfer (MFT) systems. That earlier attack was claimed by the Clop ransomware gang. AvidXchange disclosed that it had used Fortra’s GoAnywhere technology specifically to transfer files to an external company responsible for printing its checks. Data allegedly stolen from AvidXchange during that initial breach, including the company's GoAnywhere backups, was listed on Clop's dark web leak site.

During its first-quarter earnings call held on Monday, May 1, 2023, AvidXchange publicly addressed the recent incident and stated it expected to incur costs related to the cyberattack. The company issued a short statement on its website acknowledging the event had affected some of its systems and data, and it noted its investigation remained ongoing. A company spokesperson, Olivia Sorrells, declined to answer specific questions from journalists, including whether AvidXchange had received or paid a ransom demand to the RansomHouse group. The full scope of the breach, including the exact number of customers and employees impacted and the total volume of data exfiltrated, remained unclear. It was also not publicly known whether AvidXchange possessed the technical means to definitively determine all the data that had been taken from its systems.

The group claiming responsibility, RansomHouse, has been active since 2021. It describes itself not as a typical ransomware operation but as a "professional mediators community." The group states it specifically targets organizations it perceives as having a negligent attitude toward the privacy and security of their customers' personal data. Prior to the AvidXchange attack, RansomHouse had also publicly claimed other high-profile victims, including chipmaker AMD and Africa’s largest retailer, Shoprite. The specific method of initial compromise used to infiltrate AvidXchange's networks was not disclosed by the company or the threat actors. The confirmed impacts of the breach were the exfiltration of sensitive internal data and its subsequent publication on a dark web leak site, exposing financial, employee, and security information.