Cyber Incident Victim: VRM

On or around May 31, 2023, VRM discovered it had fallen victim to a cyberattack. The intrusion was identified on Wednesday, May 31, 2023. The attack was not the result of a direct breach of VRM's internal infrastructure but was instead part of a wider global campaign exploiting a previously unknown security vulnerability. The vulnerability existed in the software product MOVEit Transfer, developed by the company Progress. This software is utilized by companies worldwide to encrypt and transfer data between business partners using sFTP servers. VRM was a user of this specific software, which provided the attack vector for the cybercriminals.

The attackers exploited this zero-day vulnerability in the MOVEit Transfer application to gain unauthorized access to protected data. Their objective was the exfiltration of files. The company's immediate investigation, conducted in close coordination with cyber-security experts, confirmed that data had been stolen. The forensic analysis determined that the unauthorized downloads included files containing customer data. The compromise was isolated to the MOVEit Transfer system; a thorough investigation confirmed that no other IT systems belonging to VRM or the media companies for which VRM acts as a service provider were compromised in this incident.

The scope of the data breach involved customer information. Based on VRM's findings at the time of the announcement, the exfiltrated files contained the personal data of the company's subscribers. This primarily included names and addresses. The company explicitly stated that more sensitive information, such as bank account details, was not affected by this particular data theft. The incident impacted customers whose data was being processed or transferred via the compromised MOVEit system.

Upon discovery of the attack on May 31, VRM immediately initiated its response protocol. All necessary data-securing measures were taken, though the specific technical steps were not detailed publicly. The company engaged its team of cyber-security experts and data protection officers to manage the incident response and conduct the forensic investigation. The company also adhered to its regulatory obligations by formally informing the relevant data protection authority of the breach in compliance with the General Data Protection Regulation (GDPR).

The public disclosure of the incident was made through a statement on the company's website. VRM acknowledged the attack and provided a transparent, though preliminary, assessment of what had occurred and what data was involved. The company established a dedicated communication channel for inquiries related to the incident, directing affected individuals and other stakeholders to contact the VRM corporate communications department via a provided telephone number and email address. The company expressed deep regret for the inconveniences caused by the incident and stated it was working intensively to clarify the full details of the event. The broader context of the incident was noted, as the German Federal Office for Information Security (BSI) had also published information about the widespread exploitation of the MOVEit vulnerability, confirming this was a large-scale attack affecting numerous organizations internationally. The software vendor, Progress, had by that time released a patch to remediate the security flaw.