Cyber Incident Victim: Realm IDX Inc.

On or around May 31, 2023, Realm IDX Inc., a commercial entity based at 1 Enterprise, Aliso Viejo, California, 92656, experienced a data breach. The incident was not a direct attack on Realm IDX's own internal systems but was instead an external systems breach that occurred at the location of a third-party vendor. The specific nature of this vendor and the systems involved were not disclosed in the available information. The breach was discovered by the company on June 5, 2023, five days after the initial compromise occurred. The attack vector was later identified as part of a much larger, widespread campaign targeting users of the MOVEit file-transfer tool, a product developed by Progress Software.

This larger campaign was orchestrated by the Clop ransomware gang, which claimed responsibility for mass data raids targeting corporate customers of the MOVEit software. The group exploited a previously unknown security vulnerability in the MOVEit Transfer application to gain unauthorized access to the systems of numerous organizations that used the tool for secure file transfers. The breach affecting Realm IDX was, therefore, a single instance within this extensive cyberattack, which ultimately claimed hundreds of victim organizations and impacted millions of individuals globally. The incident at the third-party vendor used by Realm IDX was a direct result of this malicious activity exploiting the MOVEit vulnerability.

The investigation into the breach determined that unauthorized actors acquired specific personal information. The compromised data consisted of names or other personal identifiers in combination with Social Security Numbers. The total number of individuals affected by this specific breach was 818. This figure included three residents of the state of Maine. Because the number of affected Maine residents was well below 1,000, the company was not required to notify consumer reporting agencies under the relevant reporting thresholds.

In its response, Realm IDX engaged the legal services of the firm Norton Rose Fulbright. Will Daugherty, a partner at the firm, acted as the primary submitter for the official breach notification to the Maine Attorney General's office. The company undertook a notification process for all affected individuals. The type of notification provided was written communication. The letters to the 818 affected individuals were sent out on June 30, 2023. A template of this individual notification letter was filed with the regulatory authority. The notice detailed the nature of the information that had been acquired in the breach. Realm IDX did not offer complimentary identity theft protection services to the affected individuals. The company also confirmed that there had been no previous breach notifications within the 12 months preceding this incident.

The broader MOVEit mass-hack, of which the Realm IDX incident was a part, continued to claim victims throughout June and July of 2023. The Clop ransomware gang listed many of these victims on its dark web leak site. The list included a wide array of sectors, highlighting the extensive reach of the attack. Confirmed victims included banks such as 1st Source Bank and Deutsche Bank, hotel chains like Radisson Hotels Americas, real estate giant Jones Lang LaSalle, academic institutions including the University of Colorado and the University of Illinois, healthcare providers like UofL Health, and other corporations such as the Dutch navigation company TomTom and biopharmaceutical firm Bristol Myers Squibb. The attack impacted tens of millions of individuals, with one threat analyst from Emsisoft estimating that by July, almost 270 organizations had been victimized, affecting over 17 million people. The incident involving Realm IDX, while a smaller component of this vast campaign, followed the same pattern of a third-party file transfer service being compromised, leading to the exfiltration of sensitive personal data from its clients. The consequences for the individuals whose Social Security numbers were stolen included a significantly elevated risk of identity theft and financial fraud. The company’s response was focused on regulatory compliance and direct consumer notification as required by law.