MOVEit and lose it

A bad situation has continued to grow worse as the MOVEit exploit used by the CLOP ransomware gang has begun to stack up more victims.

I wrote an article, a brief one, a couple of weeks ago detailing how the data breach had affected a number of state agencies that included the Motor Vehicle Departments of Louisiana and Oregon to name a few. In short, a lot of personal information made it into the hands of hackers, at least 6 million records alone from Louisiana.

Things haven’t gotten better in the intervening time. Ars Technica reported that currently at least 122 organizations were breached in this hack. Other victims include the New York City Department of Education and a pair of energy companies, Siemens Electric and Schneider Electric. In total the estimate appears to be that the personal data of at least 15 million people was leaked.

I’m going to tell you what all the other news organizations and pundits either already have or will soon, that this is almost certainly not the full extent of this hack. Even when I wrote the original article, I had a suspicion that the body count would grow, although by how much still remains to be seen. No matter how it shakes out it’s a cybersecurity disaster.

To put things in perspective, however, it’s currently still a small incident compared to some of our larger data breaches to date. The data breach affecting Yahoo between 2013 and 2016 compromised 3 billion accounts all told, that’s still considered the largest (but maybe not the worst). Even the Equifax hack from 2017 is only the thirteenth largest event recorded. Eyeballing it I’d say this one comes in at 22 or 23 but who’s counting?

The hackers eyeballing their bank accounts as their blackmail money comes in, that’s who.