Cyber Incident Victim: Vitality Group International
Date:
Jun 2023
Location:
United States of America
Summary
Vitality Group International suffered a data breach stemming from a zero-day vulnerability in its MOVEit file transfer software. An unauthorized party exploited this flaw to access and remove files containing consumers' confidential information. The compromised data included sensitive personal details such as names, dates of birth, and health information. The company initiated an investigation, shut down the affected server, and subsequently provided notification letters to all impacted individuals.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 22, 2023, Vitality Group International, Inc. filed a notice of data breach with the Attorney General of Montana. This filing confirmed that a security incident had occurred due to a vulnerability within a file transfer software application utilized by the company. The specific software identified was MOVEit, which contained a previously unknown zero-day vulnerability. This vulnerability provided the entry point for unauthorized external actors to gain access to the company's systems. The discovery of this vulnerability prompted the initiation of an internal investigation by Vitality Group to ascertain the full nature and scope of the intrusion.
Upon learning of the zero-day vulnerability present in the MOVEit software, Vitality Group took immediate action to contain the threat. The company shut down access to the specific server that was affected by the exploit. This action was a critical containment step aimed at preventing any further unauthorized access while the investigation proceeded. The subsequent forensic investigation focused on determining the extent of the attackers' activities within the compromised environment and identifying precisely what data had been exposed.
Through its detailed investigation, Vitality Group was able to confirm that the hackers had successfully exploited the MOVEit vulnerability to access and exfiltrate certain files. These files contained confidential consumer information stored and transmitted by the company. The investigation process involved a comprehensive review of the compromised files to determine the specific types of personal information that were present and to identify the individuals whose data was involved in the breach. The analysis confirmed that the unauthorized access and acquisition of data had occurred.
The sensitive consumer information accessed and removed by the unauthorized party varied from individual to individual. The compromised data included individuals' names and dates of birth. Furthermore, the breach involved the exposure of health information, a particularly sensitive category of data. The combination of these data elements significantly increased the potential risk for the affected individuals, as it could be leveraged for targeted fraud or identity theft. The company did not specify the exact number of individuals impacted by this incident in its initial filing.
Following the completion of its investigation, Vitality Group undertook the process of notifying all affected individuals. On June 22, 2023, the same day as the filing with the Montana Attorney General, the company began sending out data breach notification letters via postal mail. These letters were directed to every individual whose information was determined to have been affected by the security incident. The purpose of these notifications was to inform consumers about the breach and to provide them with a list of the specific information pertaining to them that had been compromised. This direct communication is a standard procedure intended to allow victims to take steps to protect themselves from potential misuse of their personal data.
Vitality Group International, Inc. is a healthcare software company founded in 2005 and based in Chicago, Illinois. The company's core business involves providing a mobile platform that delivers real-time health and wellness updates. Its software employs incentives, data, and behavioral science to encourage users to prioritize their health. The global reach of the company is significant, with its software being used by more than 30 million people across 40 different markets worldwide. The company employs over 359 people and generates approximately $99 million in annual revenue. The breach incident impacted this extensive user base, highlighting the risks associated with third-party software dependencies in the healthcare technology sector. The incident was part of a wider wave of attacks exploiting the same MOVEit vulnerability, affecting numerous organizations globally. The company’s public confirmation of the breach through a regulatory filing marked the public disclosure of the event, providing initial details about the cause and the type of data involved.