Cyber Incident Victim: DHL Parcel UK

The incident involving Dhlparcel Co, a part of the shipping giant DHL, was first publicly acknowledged in late May and early June 2023. The breach was not a direct attack on DHL's own infrastructure but was instead sourced to a third-party software provider. DHL confirmed that one of its software providers was impacted by a critical vulnerability affecting MOVEit Transfer, a secure file transfer tool developed by Progress Software. This vulnerability was being actively exploited by the Russia-based Clop ransomware group. Upon being made aware of the incident, DHL quickly launched an investigation, working with relevant experts to understand the full scope and impacts. The company stated that this investigation was ongoing and that it would continue to communicate with those affected as more information became available.

Specifically for its UK operations, DHL confirmed it utilized the services of Zellis, a UK payroll provider. Zellis had itself fallen victim to a successful cyberattack because it used the vulnerable MOVEit software. The attack on Zellis was part of the same broader campaign by the Clop group, which had exploited the zero-day vulnerability in MOVEit. As a result of the compromise at Zellis, the personal data of DHL employees was accessed. The types of employee data exposed included employee number, first name, surname, date of birth, National Insurance number, the first line of their home address, email address, employment start date, and employment end date. The breach did not affect customer information, and banking details were not accessed.

The Clop ransomware group had been exploiting this particular MOVEit vulnerability for nearly two months. The group employed a strategy of mass-scale data theft rather than deploying encryption ransomware. After breaching a system, they exfiltrated sensitive data and then extorted the victim organizations by threatening to publish the stolen information on their darknet leak site. On June 6, 2023, Clop posted a notice claiming it had information on "hundreds of companies" and issued an ultimatum, warning affected organisations to contact them by June 14, 2023, to agree to a ransom payment or have their data published.

The incident was part of a much wider campaign that affected a vast number of organizations globally. Researchers from Emsisoft tracked the event, finding that at least 383 organizations were affected, leading to the information of over 20 million individuals being leaked. The attack impacted a diverse range of sectors, including finance, insurance, education, and government. Notable victims included 1st Source Bank, which exposed data of 450,000 customers; Fidelity & Guaranty Life Insurance Company, which affected about 873,000 people; and the American Civil Liberties Union Foundation. Many of these breaches occurred through third-party service providers like PBI Research Services and Zellis, which served numerous clients.

In response to the breach, DHL initiated its investigation and began the process of notifying affected individuals. The company committed to providing ongoing communication as the investigation yielded more information. Like many other victim organizations, DHL and its affected entities were advised to offer identity protection services to those whose data was compromised, a common remedial step in such large-scale data breaches. The financial impact of the overall MOVEit campaign was estimated to be significant for the threat actors. Cybersecurity firm Coveware reported that the Clop ransomware group could potentially earn between $75 million and $100 million from the campaign, with these sums coming from a small number of victims who succumbed to very high ransom demands.

The legal and regulatory consequences began to materialize swiftly. Law firms in the UK, such as Leigh Day, announced that the hacking announcements by DHL and other major organizations like Transport for London, Ofcom, and Ernst & Young were likely to lead to substantial claims for compensation by those affected. Data breach specialists stated that if the security measures in place to protect the data were found to be inadequate, those whose personal data was affected would likely be entitled to claim compensation for the distress caused by the breach as well as any resultant financial losses. The scale of the incident, affecting tens of thousands of employees across multiple high-profile companies, pointed towards a significant collective legal action.

The technical cause of the incident was a vulnerability within the MOVEit software itself. Progress Software, the developer, released a patch for the vulnerability once it was discovered. However, the window of exploitation before the patch was available and the time taken by organizations to apply the patch allowed the Clop group to compromise a large number of systems. The attack methodology involved exploiting this vulnerability to gain unauthorized access to the file transfer systems, enabling the exfiltration of vast quantities of data stored within them. The impact on DHL was confined to the data processed by its payroll provider, Zellis, and did not extend to its core shipping or customer operations.

The broader implications of the incident highlighted the significant risk associated with supply chain attacks, where a breach at a single software provider or third-party vendor can compromise the data of all its clients. The Clop group's shift in tactics to focus on exploiting vulnerabilities in widely used file transfer tools proved to be far more successful than their previous attacks, due to the sheer number of potential high-value targets. The massive data theft led to widespread notifications required by data protection regulations, such as filings with regulators in the U.S. state of Maine, and triggered a large-scale response from the cybersecurity industry and legal community. The incident served as a prominent example of the evolving threat landscape where ransomware groups increasingly prioritize data theft and extortion over system encryption.