Cyber Incident Victim: Verlagsgesellschaft Vogelsberg GmbH & Co. KG

On or around May 31, 2023, a cyberattack was discovered targeting Verlagsgesellschaft Vogelsberg GmbH & Co. KG, a regional media company. The intrusion was identified on Wednesday, May 31, 2023. The attack exploited a previously unknown security vulnerability, often referred to as a zero-day, within the MOVEit Transfer software product developed by Progress Software. This software is utilized for the encrypted transfer of data between business partners using SFTP servers. The company employed this application as part of its IT infrastructure for secure data exchange operations. The specific nature of the attacker's actions involved exploiting this vulnerability to gain unauthorized access to protected data stored within the MOVEit Transfer system.

Upon discovery of the incident, the company immediately initiated all necessary data-securing measures. The response included engaging in close coordination with external cybersecurity experts and data protection officers to manage the situation. A forensic investigation was promptly launched to determine the full scope of the compromise. This investigation concluded that no other IT systems within the company's infrastructure, beyond the MOVEit application, were compromised. The breach was contained to the specific software platform where the vulnerability resided. The company also fulfilled its legal obligations by formally notifying the relevant data protection authority in accordance with the General Data Protection Regulation (GDPR).

The impact of the incident was significant, resulting in a confirmed data exfiltration. Unauthorized actors successfully downloaded files containing customer data. The compromised data included the personal information of the company's subscribers. Based on the available information, the types of subscriber data affected were names and addresses. The investigation determined that more sensitive categories of information, such as bank account details or financial data, were not involved in the breach. The scope of the incident was not isolated, as the vulnerability affected a global user base of the MOVEit Transfer software, making companies worldwide potential victims of the same exploitation campaign. The Bundesamt für Sicherheit in der Informationstechnik (BSI), Germany's Federal Office for Information Security, also published information regarding the exploitation of this vulnerability.

The primary consequence was the unauthorized access to and acquisition of personal data, constituting a data breach. This breach directly impacted the company's subscriber base, potentially exposing their personal information. The company publicly expressed regret for the inconveniences caused by the incident. The operational response continued with intensive work focused on investigating and clarifying the full details of the event. The software vulnerability itself was confirmed to have been patched by the vendor, Progress Software, subsequent to the discovery of the attacks, thereby eliminating the specific attack vector used in this intrusion. The company's public communication acknowledged the global context of the attack, noting that it was one of many organizations worldwide that utilized the vulnerable software and were subsequently affected by the criminal exploitation of the security flaw. The incident underscores the risks associated with third-party software dependencies and the rapid exploitation of vulnerabilities by threat actors targeting widely used commercial applications to compromise the data of multiple organizations simultaneously. The response highlighted a structured approach to incident handling, involving immediate containment, forensic analysis, regulatory compliance, and ongoing investigation efforts to understand the complete ramifications of the security event.