Cyber Incident Victim: PricewaterhouseCoopers

On or around May 31, 2023, a critical vulnerability in the MOVEit file transfer tool was publicly disclosed. This vulnerability was subsequently exploited by the Clop ransomware group to attack numerous organizations worldwide, including the professional services firm PricewaterhouseCoopers (PwC). PwC utilized the MOVEit software for a limited number of its client engagements. Following the public announcement of the vulnerability, PwC ceased using the MOVEit tool. The company initiated an investigation to determine the scope and impact of the incident on its operations and client data.

The investigation conducted by PwC concluded that the company’s own internal IT network had not been compromised by the attackers. The impact of the MOVEit vulnerability on PwC was assessed as limited. The breach was confined to the MOVEit application itself, which was used for secure file transfers with clients. The investigation revealed that a small number of clients had their files impacted by the unauthorized access. PwC proactively reached out to these affected clients to directly discuss the incident and its implications.

The Clop ransomware group, which claimed responsibility for the widespread exploitation of the MOVEit vulnerability, publicly listed PwC on its data leak site. The group asserted that it had successfully stolen approximately 121 gigabytes of data from PricewaterhouseCoopers. This public claim by the cybercriminal actors was made on or around June 22, 2023. PwC, as a major global entity in the professional services sector, represents a significant target; the firm is the second largest of its kind in the world, with 742 offices across 154 countries and reported revenue of $50.4 billion for the 2022 fiscal year.

The incident at PwC was part of a much broader campaign affecting a wide array of institutions. Another member of the "Big Four" accounting firms, Ernst & Young (EY), also confirmed a breach related to the same MOVEit vulnerability. EY reported commencing its investigation after the vulnerability was announced on May 31. The company stated that the vast majority of its systems using the transfer service were not compromised and that it was manually investigating systems where data may have been accessed. Clop also claimed to have exfiltrated 3GB of data from EY.

The primary impact of the PwC incident involved the potential exposure of client data that was being transferred or stored within the compromised MOVEit system. The specific nature of the data impacted for each affected client was not publicly detailed by PwC in broad terms. However, the type of sensitive information typically handled by such a firm in client engagements could include a wide range of financial, personal, and proprietary business data. The company's response was focused on direct communication with the specific clients whose information was involved.

In its public communications, PwC emphasized that its core internal network remained secure and uncompromised. This distinction was crucial, indicating that the attack vector was exclusively a third-party software application and not a penetration of PwC's primary defensive perimeter. The company's statement, provided by Jenny VanOss, its director of communications, clarified that the vulnerability had a limited impact on PwC's operations. The compromise was contained to the specific instance of the MOVEit application.

The broader context of the MOVEit attacks included significant impacts on other major organizations. A notable example is the California Public Employees' Retirement System (CalPERS), which was affected not directly, but through a third-party vendor, PBI Research Services/Berwyn Group. That vendor used MOVEit, and the breach there led to the access of personal information of CalPERS retirees, including names, dates of birth, and Social Security numbers. This illustrates how the supply chain attack via a file transfer tool had cascading effects on end clients.

The response from law enforcement to the global MOVEit exploitation campaign was significant. The U.S. Justice Department issued a reward of up to $10 million for information leading to the identification or location of key leaders of the Clop ransomware group. This reward was announced via a Rewards for Justice tweet on June 16, 2023, which also included an advisory from CISA and the FBI. The advisory aimed to gather information linking the Clop gang or other malicious actors targeting U.S. critical infrastructure to a foreign government.

By June 22, 2023, the number of known victims of the MOVEit vulnerability exploitation had reached at least 96 organizations. These victims spanned multiple sectors, including universities, private companies, and government agencies at various levels. The attack demonstrated the widespread risk posed by a vulnerability in a commonly used enterprise file transfer solution, impacting a diverse set of entities that relied on the software for moving sensitive information.

For PricewaterhouseCoopers, the technical response involved immediately discontinuing the use of the vulnerable MOVEit software upon learning of the disclosure. The subsequent investigation was aimed at understanding which specific files and client engagements were affected. The business consequence was the obligation to notify a limited set of clients and to manage the reputational and relational fallout from the breach. The firm assured the public that its core business operations and its ability to serve clients remained uninterrupted, as its internal systems were verified as secure. The incident highlighted the ongoing cybersecurity challenges faced by large professional services firms that manage vast amounts of sensitive client data and rely on third-party software to facilitate their operations.