Cyber Incident Victim: Flutter

On or around May 29, 2023, the Clop ransomware gang began a widespread campaign exploiting a zero-day vulnerability in the MOVEit file transfer software. This incident impacted numerous organizations globally, including the US government services contractor Maximus. The company, which provides IT services to Medicaid, Medicare, and US student loan servicers, confirmed in a regulatory filing with the U.S. Securities and Exchange Commission that it used MOVEit for internal and external file sharing purposes, including sharing data with government customers pertaining to individuals participating in various government programs. The investigation, assisted by outside legal, forensic and data analytics experts, revealed that hackers accessed files containing the personal information of a vast number of individuals. Based on its initial review, Maximus believes those files contained personal information, including Social Security numbers, protected health information, and other personal data, of at least 8 to 11 million individuals. The company acknowledged it was unable to predict the final total number of impacted individuals until the file review was completed, a process it estimated would last several more weeks.

The breach at Maximus represented a significant component of the broader attack, given the sensitive nature of the government program data it handled. The company promptly commenced an investigation and took remedial steps to address the reported vulnerabilities. It also began the process of notifying its customers as well as federal and state regulators about the incident. Maximus planned to provide breach notifications to the affected individuals and offer them free credit monitoring and identity restoration services for an undisclosed period. The company estimated the financial impact of the incident to be approximately $15 million. With over 34,000 employees and annual revenue exceeding $3 billion, Maximus provides services to major programs including the Children's Health Insurance Program (CHIP), health insurance exchanges under the Affordable Care Act, welfare-to-work programs, and government record tracking systems used during the COVID-19 pandemic.

The Clop ransomware gang added dozens of new organizations to its data leak site on May 31, 2023, publicly claiming victims. Among those listed were the professional services network Deloitte, the gambling giant Flutter, and Toyota Boshoku Corporation. A spokesperson for Deloitte stated that upon becoming aware of the vulnerability, the firm immediately applied the vendor’s security updates and performed mitigating actions in accordance with guidance. Their analysis determined that their global network use of the vulnerable MOVEit Transfer software was limited. Deloitte further stated it had seen no evidence of impact to client data but did not respond to specific questions regarding what information was involved or whether employee data was accessed. As the world’s largest professional services network by revenue, Deloitte became the third major accounting firm confirmed victimized by Clop in this incident, following breaches at PricewaterhouseCoopers and EY.

Flutter, a company controlling popular gambling brands such as FanDuel, PokerStars, Betfair, Sky Betting & Gaming, and Sportsbet, confirmed to reporters that it was affected by the MOVEit incident and that data was accessed by the hackers. The company declined to specify what data was accessed or whether it involved customer information, providing no further details on the scope or nature of the breach within its organization. Similarly, Toyota Boshoku Corporation, a member of the Toyota Group, was added to Clop’s list on May 31. The company had previously confirmed it was affected in a statement released on June 10, noting that data from its European subsidiary, Toyota Boshoku Europe, was accessed by the hackers. Toyota Boshoku did not specify what data was accessed and did not respond to subsequent requests for comment.

Another organization added to Clop’s leak site on May 31 was Pension Benefit Information, a firm that verifies beneficiary data for pension funds worldwide. The breach at Pension Benefit Information had a cascading effect, prompting dozens of organizations around the world to release statements confirming that their information was breached due to the attack on their service provider. Pension Benefit Information itself confirmed it was affected by the exploit. According to analysis by cybersecurity firm Emsisoft, the MOVEit incident affected at least 514 organizations globally by this date, a figure that included 97 schools in the United States. The widespread exploitation demonstrated the significant impact of a single vulnerability in a commonly used enterprise file transfer solution. The incident involved the exfiltration of data from numerous entities, with the threat actors subsequently using their leak site to pressure victims by threatening to publish the stolen information. The response from victim organizations largely involved applying available patches, initiating forensic investigations, and beginning the process of regulatory and individual notification where personal data was compromised. The full scope and total number of individuals affected across all organizations remained undetermined as the investigations were ongoing.