Cyber Incident Victim: Alight

On May 31, 2023, Progress Software publicly announced a previously unknown zero-day vulnerability affecting its MOVEit Transfer application, a tool utilized by thousands of companies worldwide for managed file transfers. This announcement triggered a widespread investigation across its global customer base. Alight, a vendor providing HR software migration support to the company Accelya, was identified as a user of the vulnerable MOVEit application, which it employed for its business operations. Following the public disclosure, Alight immediately initiated its own investigation to determine if it was among the organizations impacted by this critical security flaw. In parallel, Accelya, upon learning its vendor was potentially affected, began a separate data review process to ascertain what, if any, of its information was contained within the files on Alight's MOVEit platform.

The incident involved the exploitation of the zero-day vulnerability in the MOVEit application. In response to the vulnerability announcement, Alight took immediate action by taking the affected application offline to prevent further unauthorized access. Subsequently, Alight applied the security patches issued by Progress Software designed to fix the vulnerability. This action was part of the initial containment response to secure the system. Despite these efforts, the investigation concluded that the period of vulnerability exploitation could have allowed unauthorized actors to access files stored within the MOVEit system. Alight advised Accelya that it could not definitively determine whether Accelya’s specific data was actually removed or exfiltrated from the platform during the exploitation window.

The data review undertaken by Accelya determined that the files on the MOVEit platform contained sensitive personal information belonging to its employees. The scope of the impacted information included full names, contact details, dates of birth, Social Security numbers, and other demographic information. Furthermore, certain job-related and salary information was also contained within the affected files. The compromise of this data type presents significant risks, including potential identity theft and financial fraud for the individuals involved.

Given the inherent uncertainty surrounding the incident and the inability to confirm whether data was exfiltrated, Accelya proceeded with notification out of an abundance of caution. The company determined that the potential risk to affected individuals warranted proactive measures. As part of its response, Accelya arranged for credit monitoring and identity theft protection services for all impacted employees based in the United States. These services were provided through Cyberscout, a subsidiary of Identity Force, which is a TransUnion company specializing in fraud assistance.

The offered services included Triple Bureau Credit Monitoring, which provides alerts from Experian, Equifax, and TransUnion for any changes to an individual's credit files. These alerts are generated on the same day a change occurs. Additionally, cyber monitoring services were included to scan the dark web for the appearance of an individual's personally identifiable information and provide alerts if such data is found. The offering also encompassed proactive fraud assistance to help with questions or to provide support in the event an individual becomes a victim of fraud. To enroll in these services at no charge, affected individuals were provided with a unique code and directed to a specific website, with a requirement to enroll within 90 days of the notification letter dated July 10, 2023.

Accelya emphasized that, at the time of notification, there was no evidence of actual misuse of any personal information involved in the incident. The corporate systems of Accelya itself remained unaffected by the MOVEit vulnerability; the incident was confined to the systems of its vendor, Alight. The company established a dedicated email address, [email protected], to serve as a point of contact for employees who had questions about the incident. The notification letters also included extensive additional information tailored to residents of specific states, outlining their rights and providing contact details for relevant Attorney General offices and the Federal Trade Commission. This information detailed steps individuals could take independently, such as reviewing account statements and credit reports, placing fraud alerts, or initiating a security freeze on their credit profiles by contacting each of the three national credit reporting agencies.