Cyber Incident Victim: Fidelity National Information Services, Inc.

Fidelity National Information Services, Inc. (FIS Global) was impacted by a cybersecurity incident on or around May 28, 2023. The Cl0p ransomware gang claimed responsibility for the attack, which was part of a broader campaign exploiting a vulnerability in Progress Software's MOVEit Transfer product. FIS, a major technology provider for the financial industry, confirmed it was one of many organizations affected by this vulnerability. The company facilitates the movement of approximately $9 trillion annually and processes around 75 billion transactions for over 20,000 clients worldwide, underscoring the potential significance of the breach.

The public announcement of the FIS data breach incident was made by threat analyst Brett Callow, who shared the information on Twitter. His tweet included an image that had been previously used by the Cl0p ransomware gang in their communications related to the MOVEit cyber attacks. The threat actor directly communicated a message to FIS Global, expressing criticism of the company's security practices, which they characterized as inadequate for protecting customer data. The message stated, “The company doesn’t care about its customers. It ignored their security!!!” This public shaming is a common tactic employed by ransomware groups to pressure victims into meeting their demands.

In response to inquiries from The Cyber Express, an FIS spokesperson acknowledged the cybersecurity issue but did not explicitly confirm a ransomware attack. The company's official statement clarified the nature of the incident, stating, “FIS was one of many organizations impacted by the vulnerability issue experienced by Progress Software and their MOVEit Transfer product.” The company further noted that the incident had impacted a limited number of its clients and that it was in the process of communicating with all clients whose information was potentially involved. This indicates the breach was contained to systems utilizing the vulnerable MOVEit application rather than the company's entire network.

The incident at FIS was part of a widespread and coordinated series of attacks specifically targeting users of the MOVEit file transfer solution. The Cl0p ransomware gang systematically exploited a zero-day vulnerability in the software to gain unauthorized access to corporate networks and exfiltrate data. Other prominent organizations listed as victims by the group during this same period included the University of California, Los Angeles, Siemens Energy, Abbvie Inc, and Schneider Electric. The scale of the overall campaign was significant, with Brett Callow estimating that the Cl0p ransomware gang's activities had affected at least 121 organizations and impacted the data of at least 15 million individuals.

Recognizing the severe threat posed by this campaign and the Cl0p group specifically, the U.S. State Department intervened. Through its Rewards for Justice (RFJ) program, the department offered a reward of up to $10 million for information leading to the identification or location of any individuals who were part of the Cl0p Ransomware Gang or other malicious cyber actors targeting U.S. critical infrastructure. The RFJ program, which was originally established in 1984 to combat terrorism, adapted its focus to include these significant cyber threats. The State Department sought information linking the group to a foreign government and specified that tips could be submitted through secure channels including Signal, Telegram, WhatsApp, or a Tor-based tip line.

This reward offer followed an official confirmation by the Cybersecurity and Infrastructure Security Agency (CISA) that the cyberattack had compromised MOVEit applications at several federal agencies. In response to the escalating situation, CISA and the Federal Bureau of Investigation (FBI) released a joint cybersecurity advisory on June 7, 2023. The advisory cautioned organizations that cyber threat actors were actively exploiting vulnerabilities in Progress Software’s managed file transfer solution. The agencies formally attributed the exploitation of the MOVEit vulnerability to the Cl0p Ransomware Gang, providing official confirmation of the group's involvement in the widespread attacks. The primary impact on FIS was the potential compromise of data belonging to a limited subset of its clients who used the affected MOVEit application. The company's response focused on direct communication with those clients whose information was potentially exposed. The incident did not appear to disrupt the core financial transaction processing services for which FIS is known, as the compromise was isolated to the file transfer system. The broader consequences of the attack were part of a larger pattern that drew significant attention from U.S. federal authorities, highlighting the ongoing risk to critical infrastructure sectors from sophisticated cyber criminal groups. The incident demonstrated the cascading effect of a single software vulnerability impacting a diverse range of organizations across the public and private sectors.