Cyber Incident Victim: College of American Pathologists

The incident involving the College of American Pathologists was part of a much larger, coordinated cyberattack campaign executed by the Clop ransomware group. The attacks exploited a zero-day vulnerability in Progress Software's MOVEit managed file transfer software. The initial exploitation activity by the Clop group commenced around May 29 and May 30, 2023. This timing was apparently selected to take advantage of the reduced security monitoring that often occurs during the Memorial Day holiday weekend in the United States. Progress Software, the developer of MOVEit, became aware of the vulnerability and issued a security alert on May 31, 2023. This alert instructed all customers to immediately update their software to the newly patched version to close the security gap that was being actively exploited.

The Clop group's modus operandi was to identify and target internet-facing MOVEit Transfer servers that were vulnerable. Through the exploitation of the zero-day flaw, the threat actors were able to gain unauthorized access to these systems. Their primary objective was data exfiltration; they systematically searched for and stole data stored on the compromised servers. The group did not deploy ransomware encryption payloads in these attacks, instead focusing solely on the theft of sensitive information to use for extortion. Following the data theft, the Clop group began a process of extortion by contacting the victim organizations and demanding a ransom payment. The threat was that if the ransom was not paid, the stolen data would be published on the group's data leak site on the dark web.

The College of American Pathologists was one of the many organizations victimized in this widespread attack campaign. As a user of the MOVEit software, its systems were vulnerable during the period of exploitation prior to the patch being applied. The Clop group successfully infiltrated the organization's MOVEit server and exfiltrated data contained within it. The specific contents of the stolen data from the College of American Pathologists were not detailed in public statements, but based on the nature of attacks against other similar victims, it likely contained sensitive information. The incident was publicly confirmed when the Clop ransomware group added the College of American Pathologists to its data leak site in late June 2023. This public listing occurred alongside approximately 70 other organizations that were added to the site during that time, indicating the ongoing and expanding fallout from the attacks.

The broader impact of the MOVEit campaign was immense. By June 27, 2023, it was reported that at least 516 organizations had been directly or indirectly affected by the attacks. The total number of individuals whose personal information was compromised was estimated to be at least 36 million people, based on data breach notifications that included victim counts. A significant number of the affected organizations were service providers, which meant that a single breach of a provider's MOVEit server could lead to the exposure of data belonging to numerous other companies and their customers. This cascading effect greatly amplified the scope of the incident. Notable service providers impacted included PBI Research Services and the National Student Clearinghouse, whose breaches led to notifications from many of their downstream clients.

The College of American Pathologists, upon discovering the breach or being notified by Progress Software, would have initiated its incident response procedures. This standard response likely included engaging third-party digital forensic investigators to conduct a thorough examination of the compromise. The forensic investigation would aim to determine the scope of the intrusion, identify which systems and data were accessed, and ascertain the specific information that was exfiltrated by the threat actors. Containment actions were implemented, which certainly involved applying the security patch provided by Progress Software to prevent further unauthorized access through the same vulnerability. The organization also would have taken steps to secure its environment, such as reviewing access controls and monitoring for any suspicious activity.

A critical component of the response was compliance with legal and regulatory obligations regarding data breaches. The College of American Pathologists undertook the process of reviewing the impacted files to identify the individuals whose personal information was contained within the stolen data. This review was necessary to determine the exact population affected and the types of data involved, which is a prerequisite for issuing individual data breach notifications. The organization would have been required to notify affected individuals, as well as relevant state attorneys general and federal regulators, in accordance with data breach laws. While the specific number of individuals affected by the breach at the College of American Pathologists was not publicly disclosed, the organization would have provided breach notification letters to those impacted. These letters typically describe the incident, the categories of information that were exposed, and the measures being offered to help protect victims, such as credit monitoring and identity theft protection services.

The financial impact of the incident was substantial for many victims. For example, the company Maximus, another victim of the same campaign, estimated it would spend $15 million on its response efforts, which included notifying between 8 million and 11 million individuals. While a specific cost figure for the College of American Pathologists was not released, the incident undoubtedly incurred significant expenses related to the forensic investigation, crisis response, legal fees, regulatory compliance, and the provision of mitigation services like credit monitoring for affected individuals. The operational disruption caused by the investigation and remediation efforts also represented a consequential impact on the organization's resources and focus. The reputational damage associated with a public data breach and listing on a cybercriminal leak site is another significant consequence, potentially affecting stakeholder trust. The Clop group claimed on its leak site that it had deleted data stolen from government entities, implying it did not attempt to extort them, but it made no such claim for healthcare or other private sector organizations like the College of American Pathologists. The incident stands as a prominent example of the severe risks associated with supply-chain attacks and the exploitation of vulnerabilities in commonly used enterprise software.