College of American Pathologists

The College of American Pathologists, headquartered in the United States, was compromised in the widespread Clop ransomware campaign during May 2023. This incident involved the exploitation of a zero-day vulnerability in the MOVEit file transfer software, leading to the theft of the organization's data and its subsequent listing on the Clop data leak site. The attack was part of a larger operation that affected over five hundred organizations and an estimated thirty-six million individuals, with the financial services, professional services, and education sectors being the primary targets. As a victim within the professional services sector, CAP's breach illustrates the extensive reach of this particular cyber campaign. The use of a zero-day exploit enabled the threat actor to infiltrate numerous entities simultaneously, demonstrating a high level of coordination and technical sophistication. The primary goal of data exfiltration was achieved, as confirmed by the publication of stolen information on the ransomware group's public leak site.

CAP operates as a professional organization for pathologists, a designation inferred from its name and its classification within the professional services sector impacted by the MOVEit attacks. The breach highlights the vulnerability of specialized professional associations that depend on third-party software for secure data transfers. Inclusion on the Clop leak site signifies that the exfiltrated data was assessed as valuable by the attackers, though the specific nature of the compromised information is not detailed in the available incident overview. This event positions CAP among a significant cohort of professional services and educational institutions that faced similar fates, underscoring a concentrated campaign against sectors handling sensitive information. The incident originated from a vulnerability in a vendor's product rather than an internal security failure, emphasizing the pervasive risk of supply chain attacks. The MOVEit campaign's impact on CAP and analogous organizations reveals a targeting pattern focused on entities where data sensitivity could yield financial or strategic gain for cybercriminals. The breach serves as a documented example of how even niche professional bodies are not insulated from large-scale, software-based cyber extortion schemes.