MOVEit victim count latest: 2.6K+ orgs hit, 77M+ people's data stolen
Real-life impact of buggy software laid bare – plus: Avast tries to profit from being caught up in attacks
Quick show of hands: whose data hasn't been stolen in the mass exploitation of Progress Software's vulnerable MOVEit file transfer application? Anyone?
According to security shop Emsisoft, 2,620 organizations and more than 77 million individuals have been impacted to date, with millions in the past week alone have received notifications that their info was either accessed, leaked, or both after the Russian ransomware gang Clop exploited a security hole in MOVEit back in May to steal files from compromised instances.
Embarrassingly antivirus biz Avast is among these new-ish victims, which recently disclosed the crooks accessed some "low-risk customer personal information."
"We take this seriously and are notifying impacted customers and offering dark web monitoring services free of charge," the developer xeeted on October 25.
That free dark-web monitoring likely came in handy to the 3 million customers whose info has reportedly been leaked on a hacking forum.
According to the UK's Times, the information posted "is primarily limited to name and/or contact information, as well as information on the product you purchased from us. No banking details, credit card numbers or high-risk data such as login information or account details were taken."
An Avast spokesperson declined to answer specific questions about the breach, though sent The Register the following statement:
Our systems are secure and operational. We use MOVEit for internal file transfers and immediately remediated all known vulnerabilities when this incident was discovered in June. We are up to date on all subsequent patches. While there was no impact to our core IT systems or services, during continued due diligence, we found some of our Avast customers' personal information, such as name, email address and phone number, was impacted. While this information is not considered high risk, we take the safety of our customers extremely seriously and want to ensure they are prepared to be vigilant against any potential phishing threats using this information. We have notified customers and offered dark web monitoring free of charge for six months.
Not one to let an opportunity to up-sell slip by, the org recommended that affected customers also pay for an enhanced security service. As expected, users aren't too happy with Avast's "shameless marketing tactics" and took to a web forum to voice their complaints.
"I received an email today about Avast customer data being leaked on the dark web. In the email, Avast recommends signing up for an additional paid service," one user noted.
According to another customer:
I agree that it appears to be touting for future business in a rather underhand way!! Firstly they admitted to a breach of their security which allowed MY data out into the dark web (it also appears to have taken them the best part of a year to discover this!!!) & then, because I am such a "valued customer" they are "offering" me the use of their Breachguard product free of charge for 6 months!!!
It appears the old adage that one person's breach is another's business opportunity rings true.
Millions more patients' data stolen
In more MOVEit news, Welltok, which provides patient communication services for healthcare providers across the US, has been busy notifying patients that their supposedly private healthcare data really isn't.
The Virgin Pulse-owned company has sent notification letters to more than 1.6 million patients alerting them that their names, addresses, dates of birth, and health information may have been stolen by miscreants abusing MOVEit, according to a November 18 filing with the Maine Attorney General's office.
Specifically, this information belonged to people with group health plans from Stanford Health Care, Stanford Health Care, Lucile Packard Children's Hospital Stanford, Stanford Health Care Tri-Valley, Stanford Medicine Partners, and Packard Children's Health Alliance.
Welltok did not immediately respond to The Register's request for comment.
In a letter sent to those affected patients, Welltok says it first learned that its MOVEit instance had been compromised back in July, after it had "previously installed all published patches and security upgrades immediately upon such patches being made available by Progress Software." [PDF]
Things basically got worse from there on out.
By August, it determined criminals had, in fact, managed to "exfiltrate certain data," and in October Welltok began notifying Sutter Health patients that their personal information may have been accessed.
Sutter provides health care to more than three million people in northern California.
- MOVEit cybercriminals unearth fresh zero-day to exploit on-prem SysAid hosts
- Royal Mail cybersecurity still a bit of a mess, infosec bods claim
- Regulator, insurers and customers all coming for Progress after MOVEit breach
- Security researchers believe mass exploitation attempts against WS_FTP have begun
Welltok also provides patient data communications for Michigan's Corewell Health as well as its Priority Health lifestyle portal, and a ton of those patients also were hit by the MOVEit breach.
Last week, Welltok said about one million Corewell Health patients and 2,500 Priority Health members were impacted. For Priority Health members stolen data included name, address and health insurance identification number. Corewell Health patients' may have had their names, dates of birth, email addresses, phone numbers, diagnosis, health insurance information and Social Security numbers exposed.
"The information accessed by the unknown actor may have included, depending on the individual, their name, address, date of birth, social security number, email address, phone number, patient identification number, health insurance information, provider's name, and medical treatment or diagnosis information," according to the Arkansas-based health care provider. ®