Cyber Incident Victim: University of California, Los Angeles

On or around May 30, 2023, Progress Software, the developer of the MOVEit Transfer file transfer tool, publicly disclosed a critical vulnerability in its software. This disclosure marked the beginning of a widespread, global hacking campaign that would ultimately impact hundreds of organizations. The University of California, Los Angeles (UCLA) was one of the many entities that utilized this software. The university’s IT security team subsequently discovered on June 1, 2023, that its instance of the MOVEit Transfer application had been targeted by attackers exploiting this vulnerability. The discovery initiated UCLA's formal incident response procedures.

Upon detecting the intrusion, UCLA immediately took steps to contain the threat and secure its systems. The primary action was the application of the security patch issued by Progress Software to fix the vulnerability. This remediation effort was conducted promptly to prevent further unauthorized access. The university also enhanced its monitoring of the affected MOVEit system to track any additional suspicious activity. Following these initial containment steps, UCLA formally notified the Federal Bureau of Investigation (FBI) of the incident. The university also engaged external cybersecurity experts to assist with a comprehensive investigation into the breach. The core objectives of this investigation were to determine the precise timeline of attacker actions, understand the methods of exploitation, identify what specific data was accessed or exfiltrated, and determine to whom that data belonged.

The investigation confirmed that the incident was a data breach resulting from the exploitation of the zero-day vulnerability in the MOVEit Transfer software. UCLA explicitly stated that this was not a ransomware incident. Furthermore, the university’s analysis found no evidence that any other campus systems beyond the specific MOVEit application were impacted. The breach was isolated to the file transfer tool. The type of data stored on the MOVEit server typically included sensitive information transferred between university departments and with external entities. While the exact number of affected individuals was not publicly disclosed by UCLA, the investigation concluded that personal and confidential data was accessed. In compliance with data breach notification laws and regulations, the university undertook the process of identifying all individuals whose data was compromised. Once this identification process was complete, UCLA notified all impacted parties.

On June 26, 2023, the Clop ransomware gang added UCLA to its list of victims on its dark web leak site. This public claim by the threat actors aligned with their broader campaign, where they systematically exploited the MOVEit vulnerability to steal data from numerous victims and then extort them by threatening to publish the stolen information. The listing of UCLA alongside other major organizations like Siemens Energy and the biomedical company AbbVie confirmed the university's involvement in this global incident. Siemens Energy, also named that same day, confirmed it was targeted but stated its analysis found no critical data was compromised and its operations were unaffected. AbbVie acknowledged it was affected by the vulnerability and was investigating what data was accessed, noting its use of MOVEit was a "limited deployment."

The MOVEit attack campaign impacted a vast array of organizations worldwide, far beyond UCLA. In the United States, several federal agencies were affected, including the Department of Energy, the Department of Agriculture, and the Office of Personnel Management. Numerous state-level agencies across Illinois, Missouri, Minnesota, Colorado, Oregon, and Louisiana also reported breaches. The private sector was heavily hit, with victims including oil giant Shell, financial services company Jackson Financial, and "Big Four" accounting firms PricewaterhouseCoopers and EY. The education sector was a significant target, with schools like Johns Hopkins University, the University of Georgia, the University of Rochester, and the University of Missouri also confirming impacts. New York City’s public school system disclosed that approximately 45,000 students, along with staff and service providers, were affected after 19,000 documents were accessed without authorization, impacting about 9,000 Social Security numbers. The low-cost airline Allegiant Air filed a data breach notification confirming the personal information of 1,405 people was accessed. Internationally, organizations in the United Kingdom such as communications regulator Ofcom, the BBC, British Airways, Aer Lingus, and pharmacy chain Boots were affected, alongside Canadian government bodies in Nova Scotia.

The scale of data theft was enormous. One of the largest single breaches was announced by California’s Public Employees' Retirement System (CalPERS), which stated that the personal information of hundreds of thousands of individuals was stolen. The incident represented a significant supply-chain attack, where compromising a single software product provided a vector to attack all of its users. Progress Software, the company behind MOVEit, faced severe criticism and a federal class action lawsuit regarding its handling of the vulnerability and the subsequent fallout. The company later announced additional vulnerabilities in the MOVEit product, requiring further urgent remediation from its customer base.

UCLA's response followed a standard incident response framework of detection, containment, eradication, recovery, and notification. The eradication phase involved applying the vendor patch to remove the vulnerability from the system. The recovery phase included enhanced monitoring to ensure the system was secure for continued use. The university’s public communications emphasized transparency regarding the steps taken and the findings of the investigation, while carefully noting the limitations of the impact to only the MOVEit system. The conclusion of the response process was the notification of all individuals whose data was determined to be involved in the breach. The university did not disclose whether it received any extortion demands from the Clop group following its inclusion on the victim list. The incident highlighted the risks associated with third-party software dependencies and the speed at which a widespread cyber campaign can unfold, impacting critical infrastructure, government services, educational institutions, and private enterprises globally.