Cyber Incident Victim: Leggett & Platt

The ransomware gang Clop exploited a critical vulnerability in Progress Software’s MOVEit Transfer tool beginning in late May 2023, compromising organizations globally that used the file-transfer service. Leggett & Platt, an American manufacturer, was listed among the victims on Clop’s dark web leak site alongside financial institutions, universities, and government entities. Clop did not contact victims directly but instead posted a deadline of June 14 for organizations to initiate ransom negotiations, threatening to publish stolen data. While Leggett & Platt did not publicly respond to inquiries, other listed victims like the University System of Georgia acknowledged evaluating the breach’s scope, and Heidelberg Materials stated it contained the incident without data loss. No stolen data from Leggett & Platt or most other victims had been published at the time of reporting.

The MOVEit attacks impacted thousands of internet-exposed servers, primarily in the U.S., with Clop claiming to have exfiltrated large volumes of data. Organizations like Johns Hopkins University and Ofcom confirmed breaches involving sensitive personal, financial, and employee information. Researchers from Kroll identified evidence suggesting Clop had experimented with exploiting the MOVEit vulnerability as early as 2021, indicating prolonged reconnaissance. This incident followed Clop’s prior mass-exploitation campaigns targeting file-transfer tools from Fortra and Accellion. The full scale of compromised entities remained unclear, though additional victims, including Transport for London and Ernst and Young, were reported post-disclosure. Leggett & Platt’s specific operational disruptions, data exposure details, or remediation actions were not publicly disclosed in available sources.