Cyber Incident Victim: Adare SEC Ltd

On or around May 31, 2023, UK printing firm Adare SEC Ltd was confirmed as a victim of a widespread cyberattack exploiting a vulnerability in the encrypted file-sharing software MOVEit, developed by Progress Software Corp. The attack was carried out by a notorious Russian-speaking hacker group known as Clop. Adare SEC, which sends digital communications and printed letters for a client base that includes major insurers, brokers, and multinational banks, confirmed to Bloomberg News that it had been hit by the hack and that data was stolen. The company stated that data relating to a small proportion of its customers had been compromised but did not publicly detail the specific types of information taken from its systems.

The incident formed part of a much broader campaign targeting numerous organizations globally. Other entities publicly confirmed as victims included the BBC, British Airways, and the UK media regulator Ofcom. The attack on Adare SEC highlighted concerns regarding the security preparedness of companies within global information supply chains that possess sensitive citizen data. The hackers exploited the vulnerability in the MOVEit software to gain unauthorized access to the systems of various institutions. Following the breach, the Clop group posted a notice on the dark web threatening to publish the stolen data from all affected companies if ransom negotiations were not initiated by a specified Wednesday deadline.

In response to the breach, Adare SEC initiated a forensic investigation to determine the full scope and details of the incident. The company also proactively contacted its affected customers to notify them of the data compromise. One of its major clients, Legal & General Group Plc, provided a statement clarifying the nature of the data it shared with Adare. The London-based financial services firm stated it only provided customer names and addresses to the printing firm and that protections were applied to that data to restrict its utility. Based on this limited data exposure, Legal & General assessed that any risk to its customers was low. Other significant clients, including Aon Plc and Allianz SE, declined to comment publicly on the incident involving their supplier.

The confirmation that Adare SEC was breached placed a spotlight on its role within the data supply chain for large financial and insurance institutions. While the firm itself maintained a lower profile compared to many of its high-profile clients, its function as a processor of customer communications meant it held data on behalf of those companies. The attack demonstrated how threat actors could target such third-party service providers to potentially access information belonging to numerous other organizations indirectly. The Clop group's tactic of exploiting a zero-day vulnerability in a widely used commercial software product proved highly effective in gaining access to a multitude of networks.

The operational impact on Adare SEC's business activities was not detailed in public statements. The company's response focused on investigation and customer notification, which are standard steps following a data security incident. The broader consequences of the MOVEit campaign were significant, prompting alerts from cybersecurity agencies and leading Progress Software Corp. to issue patches for the critical vulnerability. The incident served as a prominent example of a supply-chain attack, where a single software vulnerability can be leveraged to compromise hundreds of organizations that rely on that product for secure file transfers. The full extent of data stolen from Adare SEC and the total number of individuals affected were not disclosed publicly by the company or its clients following the initial confirmation of the breach.