Cyber Incident Victim: Verivox

On or around May 31, 2023, the price comparison portal Verivox became a victim of a widespread cyber attack exploiting critical security vulnerabilities in the MOVEit Transfer file transfer software, which is developed by Progress. The company was officially informed about the vulnerability by MOVEit Transfer on that same date, May 31. Upon being notified, Verivox immediately took its MOVEit environment offline to prevent further unauthorized access. A subsequent forensic investigation was initiated to determine the scope of the breach. This investigation confirmed that prior to the system being taken offline, attackers had successfully exploited the security flaw to gain unauthorized access and exfiltrate data. The incident was part of a larger global campaign affecting thousands of organizations, with the cyber gang known as Cl0p identified as the likely threat actor behind the mass exploitation of the MOVEit vulnerabilities.

The data stolen from Verivox included sensitive personal information belonging to its users. The company determined that the primary category of affected data consisted of personally identifiable information containing an email address, specifically names, addresses, and email addresses themselves. In a subset of cases, the compromised data was more extensive and included banking details. For these users, the stolen information encompassed name, address, email address, and the International Bank Account Number (IBAN). The forensic investigation into the precise scope and full contents of the exfiltrated data was ongoing at the time of the public disclosure and was described as a process that would take some additional time to complete comprehensively.

In response to the incident, Verivox undertook several containment and remediation actions. Immediately after being informed of the vulnerability, the company disconnected the affected MOVEit environment from its network. Following the initial containment, the compromised server was completely rebuilt from scratch without reinstalling the vulnerable MOVEit Transfer software, thereby eliminating the specific attack vector used by the threat actors. Verivox also stated that it had further strengthened its existing stringent security measures in the wake of the attack. The company officially notified the relevant authorities of the data loss without undue delay, fulfilling its regulatory obligations. To assist with the investigation, Verivox engaged external forensic specialists to conduct a comprehensive examination of the incident and to analyze the nature of the stolen data.

Verivox publicly disclosed the incident through a dedicated entry on its corporate website, which served as a formal data protection notice in accordance with Article 34 of the GDPR. The company provided affected users with information on the nature of the breach and recommended steps they could take. These recommendations were based on guidance from the German Federal Office for Information Security (BSI). Customers were advised to use online tools such as the HPI Identity Leak Checker from the Hasso-Plattner-Institut and the haveibeenpwned.com service to check if their email addresses had appeared in known data leaks, with the caveat that a positive result would not necessarily be linked to the Verivox incident. The company further recommended that users remain vigilant by monitoring their bank account movements and credit card statements for any suspicious activity and to inform their banks of the security incident. For direct inquiries, Verivox established a dedicated email contact address, [email protected], to handle questions from concerned users. The attackers behind the breach, identified as the Cl0p cyber gang, were known to engage in extortion tactics, publicly naming victim companies on their website to increase pressure for ransom payments in exchange for allegedly deleting the stolen data; however, there was no immediate indication that the data taken from Verivox had been published publicly at the time of the company's disclosure.