Cyber Incident Victim: Sovos Compliance

On May 31, 2023, Progress Software announced a previously unknown vulnerability in its MOVEit Transfer application, also known as SecureFT. This software was utilized by Sovos Compliance, LLC in its delivery of unclaimed property services for clients. These services specifically included the production and filing of reports concerning registered shareholders with unclaimed securities-related property, a process mandated by law. Upon learning of the vulnerability disclosure from the software vendor, Sovos Compliance immediately took the affected MOVEit application offline to prevent further potential access. The company retained outside advisors and cybersecurity experts to assist in evaluating the situation and formally notified law enforcement agencies of the potential security event.

Through an investigation supported by these external experts, Sovos Compliance determined that on May 30, 2023, unauthorized actors had successfully exploited the then-unknown vulnerability in the MOVEit application. The exploitation resulted in these actors downloading a specific file from the company's system. This file contained the personal information of individuals who were registered shareholders with unclaimed property. The incident was a direct result of the exploitation of a zero-day vulnerability in a third-party file transfer application that was integral to the company's business operations. The compromise occurred one day prior to the software vendor's public announcement of the security flaw.

The personal information involved in the incident was contained within the single file downloaded by the unauthorized third party. While the specific data elements varied by individual, the compromised information could include a combination of an individual's name and other personal identifiers. The data was in the possession of Sovos due to its role in providing unclaimed property reporting and filing services, which requires the collection of such information to comply with legal obligations. The security event did not involve a breach of Sovos's internal corporate systems but was confined to the exploitation of the specific third-party MOVEit Transfer application used for secure file transfers related to its client services.

In response to the confirmed data exposure, Sovos Compliance undertook several actions to address the incident and assist affected individuals. The company arranged for two years of complimentary identity monitoring services for impacted persons through Kroll, a firm described as a global leader in risk mitigation and response. The offered services included Single Bureau Credit Monitoring, which provides alerts for changes to an individual's credit data; Fraud Consultation, which offers unlimited access to specialists for advice on protecting one's identity and interpreting suspicious activity; and Identity Theft Restoration, which provides access to a licensed investigator to work on behalf of victims to resolve identity theft issues. Activation instructions and a unique membership number were provided to each affected individual, with a defined deadline to enroll in the services.

Sovos also established a dedicated call center to answer questions from individuals regarding the incident and the complimentary services being offered. The call center operated during specified weekday hours, excluding major U.S. holidays. Furthermore, the company provided a detailed notice to affected individuals, which outlined the nature of the event, the type of information involved, and the steps being taken in response. This notice also included general guidance on how individuals can remain vigilant by reviewing their credit reports, account statements, and explanations of benefits from health insurers for any suspicious activity. Individuals were advised to report any detected suspicious activity to the relevant financial institutions and to proper law enforcement authorities.

The incident had significant consequences for the individuals whose data was contained in the exfiltrated file. The exposure of personal information created a risk of identity theft and fraud, necessitating the offering of credit monitoring and identity restoration services. The compromise was part of a broader wave of attacks targeting the MOVEit Transfer software vulnerability, which affected numerous organizations globally. For Sovos Compliance, the event resulted in the temporary disruption of its unclaimed property service delivery due to the necessary takedown of the affected application. The company's response involved engaging external cybersecurity experts, coordinating with law enforcement, and incurring the costs associated with providing identity protection services to a potentially large number of affected individuals. The specific number of individuals impacted was not disclosed in the provided notice, though it was confirmed that residents of Rhode Island were among those affected.