Cyber Incident Victim: TomTom

The Clop ransomware gang exploited a previously unknown vulnerability in Progress Software's MOVEit file-transfer tool beginning in late May 2023, conducting mass data theft from corporate customers using the software. Dutch navigation company TomTom was among the victims listed on Clop's dark web leak site on June 5, 2023. TomTom confirmed the breach originated through their vendor's MOVEit platform, stating they became aware of the incident immediately after the vulnerability's disclosure. The company implemented undisclosed safety and security measures to protect data and notified relevant authorities, though the specific nature or volume of compromised information remained unconfirmed. This incident occurred amid a rapidly expanding wave of attacks affecting hundreds of organizations globally, with threat analysts estimating 270 victim organizations and over 17 million impacted individuals by early June.

The attack impacted multiple sectors including finance, healthcare, hospitality, and education. Radisson Hotels Americas reported limited guest record access, while real estate firm Jones Lang LaSalle confirmed unauthorized access affecting all 43,000 employees' non-Social Security Number data. 1st Source Bank disclosed theft of sensitive commercial and individual client PII in regulatory filings. UofL Health confirmed MOVEit exploitation at medical practices using the software but did not verify data access. TomTom's breach occurred through third-party file transfers via MOVEit, though the company maintained its internal systems remained secure. Clop systematically listed new victims on its leak site throughout June, with additional confirmed victims including Deutsche Bank, multiple universities, and pharmaceutical companies. TomTom joined organizations containing the incident by applying vendor-provided patches while forensic investigations continued across all affected entities to determine full breach scopes.