Cyber Incident Victim: Allegiant Air

On or around May 31, 2023, Allegiant Air LLC experienced a data breach resulting from the exploitation of a zero-day vulnerability in the MOVEit Transfer file transfer tool. The low-cost airline, headquartered at 1201 N Town Ctr Dr, Las Vegas, United States, 89144, utilized this software to share and transfer files between the company and its vendors, government agencies, and individuals. The breach was an external system breach, specifically categorized as hacking. The incident was discovered by the company on June 1, 2023, one day after the initial exploitation is understood to have occurred. This event was part of a far broader, global hacking campaign targeting users of the MOVEit software, attributed to the Clop ransomware group, though Allegiant Air was not explicitly named on the group's public list of victims.

Upon discovery of the incident, Allegiant Air initiated its response procedures. The company worked to determine the scope of the intrusion, specifically what data was impacted and to which individuals the data belonged. By June 12, 2023, the company's investigation had determined that the threat actors had successfully downloaded files from its MOVEit system. The information acquired by the hackers included sensitive personal identifiers, specifically names, addresses, dates of birth, and Social Security numbers. The breach notification filed with the state of Maine confirmed that the personal information of 1,405 people was accessed. Of this total, two individuals were residents of the state of Maine. The company did not publicly specify whether the affected individuals were employees, customers, or other parties connected to the firm, but the context of using MOVEit for sharing files with vendors and government agencies suggests the data could belong to a range of associated persons.

In accordance with regulatory requirements, Allegiant Air formally submitted a data breach notification to the Maine Attorney General's office. The submission was made by the company's legal counsel, Aravind Swaminathan, a partner at Orrick, Herrington & Sutcliffe LLP. The notification provided details of the breach's occurrence, discovery, and the type of personal information compromised. The company elected to provide written notification to all affected consumers. The date scheduled for this consumer notification was June 26, 2023. As part of its response to mitigate potential harm to the affected individuals, Allegiant Air offered complimentary identity theft protection services. These services were provided by TransUnion and were offered for a duration of 24 months. The company also confirmed that it had notified relevant law enforcement agencies of the incident.

The Allegiant Air incident was a single instance within a massive and coordinated attack exploiting vulnerabilities in Progress Software's MOVEit Transfer application. The threat actor behind this campaign, the Clop ransomware group, systematically targeted hundreds of organizations globally that used the software. The group exploited a zero-day vulnerability to gain unauthorized access to the file transfer systems of these organizations, exfiltrating vast quantities of data. While Clop publicly listed many high-profile victims on its leak site, including UCLA, Siemens Energy, and AbbVie, Allegiant Air was not among the names explicitly mentioned by the group in these public disclosures. Despite this, the circumstances and timing of the breach, along with the company's own confirmation, firmly place it within the wider MOVEit incident.

The broader impact of the MOVEit campaign was unprecedented, affecting over one hundred organizations worldwide. Victims spanned numerous sectors, including education, energy, finance, government, and healthcare. Major entities confirmed to be affected included the U.S. Departments of Energy and Agriculture, the Office of Personnel Management, the California Public Employees' Retirement System (CalPERS), oil giant Shell, Siemens Energy, and numerous universities. The New York City Department of Education also announced it was impacted, with approximately 45,000 students and staff affected and about 19,000 documents accessed without authorization. The scale of the attack prompted a response from the Cybersecurity and Infrastructure Security Agency (CISA), with its director, Jen Easterly, confirming that several federal agencies were impacted.

Progress Software, the developer of MOVEit Transfer, became aware of the vulnerability and released a security patch to address it. Organizations using the software, including Allegiant Air, were urged to apply this patch immediately to secure their systems. Allegiant Air confirmed that it applied the available security patch issued by Progress Software to fix the vulnerability. Furthermore, the company stated it enhanced its monitoring of the affected system to guard against further unauthorized activity. The application of the patch was a critical step in the containment process, aimed at preventing continued exploitation of the vulnerability within the company's environment.

The consequences for Allegiant Air were primarily centered on the compromise of sensitive personal data and the associated regulatory and consumer response obligations. The breach of Social Security numbers in combination with names, addresses, and dates of birth created a significant risk of identity theft for the 1,405 affected individuals. This necessitated the offering of credit monitoring and identity protection services for a two-year period. The company also incurred the operational and financial costs associated with conducting a forensic investigation, engaging external cybersecurity and legal experts, and executing a consumer notification process across multiple jurisdictions. The reputational impact of being involved in a significant global cyber incident was another consequence, though the company emphasized that the breach was limited to its MOVEit deployment and did not affect its core operational systems.

The incident highlighted the systemic risk posed by vulnerabilities in widely used third-party software. Allegiant Air's use of MOVEit for secure file transfer was a standard business practice, but it created a dependency on the security of that external product. The exploitation of a single vulnerability in this software provided threat actors with a pathway into the systems of countless organizations. The Allegiant Air breach, while smaller in scale compared to other victims like CalPERS, which affected hundreds of thousands, demonstrates how even a limited deployment of a vulnerable application can lead to a serious compromise of sensitive personal information. The company's response followed standard post-breach protocols, including internal investigation, law enforcement engagement, application of available patches, and consumer notification and protection measures. The broader MOVEit incident led to a federal class action lawsuit being filed against Progress Software, alleging failures in its handling of the software and the vulnerabilities.