Cyber Incident Victim: Allegheny County District Attorney's Office

On or around May 28, 2023, cybercriminals known as Cl0p exploited a software vulnerability in the MOVEit file transfer tool, a product owned by Progress Software. This exploitation was part of a broader global cybersecurity incident affecting several hundred organizations across various industries, including insurance, finance, education, energy, health, and government. Allegheny County, Pennsylvania, a user of the MOVEit application for sending and receiving data, was among the entities impacted. The attackers were able to access and download files from the county's MOVEit server during a specific window of time, from May 28 to May 29, 2023. The county's internal systems became aware of this security issue on June 1, 2023, marking the official discovery of the breach.

Upon discovery, Allegheny County immediately initiated a response to secure its information. The initial containment steps involved blocking all access to and from the compromised MOVEit server to prevent any further unauthorized data exfiltration. The county also moved to address the specific vulnerability within the software by implementing the security measures and patches recommended by Progress Software, the vendor. Concurrently, the county engaged external cybersecurity experts to conduct a thorough investigation into the nature and scope of the incident. This forensic investigation was necessary to determine precisely what data was accessed and acquired by the Cl0p threat actors. Law enforcement agencies were also notified of the breach as part of the county's response protocol.

The extensive investigation determined that the data belonging to Allegheny County had been accessed and downloaded by the Cl0p group. The cybercriminals publicly indicated that their focus was on targeting businesses and that they would delete any data obtained from government entities. While the county was subsequently informed that its data involved in this incident had been deleted by the threat actors, the potential for misuse remained due to the data having been exfiltrated. The investigation worked to identify the specific individuals and types of information affected. The total number of persons affected by the breach was 967,690, which included nine residents of the state of Maine.

The types of personal information involved varied based on an individual's specific relationship with Allegheny County. The compromised data included core personal identifiers such as name, Social Security number, date of birth, driver's license or state identification number, and taxpayer identification number. For students, student identification numbers were also exposed. For a subset of individuals, certain protected health information and related data was involved. This included medical information such as diagnosis, treatment type, and admission date, as well as health insurance information and billing or claim details. The breadth of data elements made the incident particularly significant.

Allegheny County undertook a large-scale notification process to inform affected individuals. The public announcement of the incident was made on July 28, 2023. The county established a dedicated call center at (888) 990-1333, with representatives available Monday through Friday from 9 AM to 9 PM Eastern Standard Time, to answer questions from concerned individuals and to help them determine if their information was involved. The county also published a detailed notice on its official website at www.alleghenycounty.us to provide information about the incident and steps people could take to protect their personal information. For individuals for whom the county had sufficient contact information, direct notification was also provided via U.S. mail.

As a remedial measure, the county offered complimentary identity protection services to all individuals whose Social Security numbers were involved in the breach. The service provider for this offering was IDX, and the county provided two years of coverage. The offering of these services was a direct response to the high sensitivity of the exposed data, particularly the Social Security numbers, which carry a significant risk of being used for identity theft and fraud. The scale of the incident, affecting nearly a million individuals, positioned it as a major data breach within the public sector. The incident stemmed from a vulnerability in a third-party software product widely used by organizations worldwide, highlighting the supply chain risks associated with commonly utilized IT tools. The county's response followed a sequence of detection, immediate containment, a forensic investigation to determine scope, cooperation with law enforcement, and comprehensive consumer notification and protection services.