MOVEit vulnerability and data extortion incident

A timeline of the #MOVEit #cyberattack

June 1: MOVEit’s vulnerability is flagged by cyber security researchers and the US government. MOVEit issues a patch for the software vulnerability.

June 5: Payroll provider #Zellis announces that it was impacted by the MOVEit cyber attack. Companies including the BBC, Boots and British Airways suffer data breaches as a result.

June 7: #Ransomware gang Clop issues a threat to victims to contact them by June 16, or their data will be posted online.

June 7: CISA and the FBI announces a US$10 million reward for “information linking the Clop gang or any other malicious cyber actors targeting US critical infrastructure to a foreign government”.

June 8: Professional services network and accounting firm, Ernst & Young (EY) announces that it was impacted by the MOVEit cyber attack. As a result, Health Service Ireland (HSE) suffered a data breach.

June 12: British communications watchdog #ofcom announces that it was a victim of the #MOVEit cyber attack, causing a data breach that affected 412 employees.

June 14: Clop begins to post the profiles of companies allegedly breached during the cyber attack launched against MOVEit on its data leak website. Clop does not leak any of the stolen data.

June 15: CISA announces it is working with "multiple [US] federal agencies" that have been impacted by the MOVEit cyber attack. Affected agencies include two Department of Energy entities.

June 19: Accounting firm PriceWaterhouseCoopers (PwC) announces it was impacted by the MOVEit cyber attack

June 21: Clop claims to not have access to data from the BBC, Boots and BA that was thought to be stolen in the MOVEit cyber attack

June 23: PBI Research Services announces that the data of 4.75 million people was stolen from three of its clients (Genworth Financial, Wilton Reassurance and California Public Employees' Retirement System (CalPERS)) because of the MOVEit cyber attack. Data stolen during the breach includes social security numbers, names, dates of birth and zip codes.

June 26: The New York Department of Education announced that the personal data of 45,000 New York City students was stolen in the cyber attack against MOVEit.

June 27: Seimens Energy and Schneider Electric both state they have been affected by the MOVEit cyber attack. Seimens says "no critical data [was] compromised" during the breach of its systems. Schneider Electric announces that, once it was made aware of the breach, it "promptly deployed available mitigations to secure data and infrastructure" and that its cyber security team is "currently investigating" the cyber attack.

June 29: The US Department of Health and Human Services notifies congress that is has been imoacted by the MOVEit cyber attack. The data of more than 100,000 people may been accessed during the data breach.

June 30: Union Bank and Trust notifies its custimers that it has been affected by the MOVEit cyber attack. The sensitive information of its customers was accessed during the attack.

July 2: Management consulting company Aon announces that it has been impacted by the breach. Effects of this includes the leak of "data relating to some employees’ pay and benefits" of almost 2,000 staff at Dublin Airport.

July 10: Clop threatens to leak a compressed 260GB dataset stolen from financial services company, Ameritrade, during the cyber attack.

July 11: Clop issues a threat to all victims of the cyber attack, warning them to not waste their time and pay the ransom, or their data will be posted online.

July 11: A number of banks and financial service providers, including 1st Source Bank, Deutsche Bank AG and ING annouce that customer information was compromised due to the MOVEit attack. Other service providers, including hotels, hospitals and those in the oil and gas industry, also announce data breaches.

July 12: Officials in Nova Scotia, Canada, decide that those impacted by the cyber attack will not recieve free credit monitoring or fraud protection services due to the attack carrying “a very low risk of identity theft or fraud.”

July 12: The number of organizations impacted by the MOVEit cyber attack hits 287,. While only 50 of these organizations have made public the number of people impacted by their data breaches, the number of individuals affected reaches 18,154,787.

July 12: Multiple lawsuits are launched against Johns Hopkins University and Johns Hopkins Health System regarding the MOVEit-related data breach it suffered. The lawsuits allege that Johns Hopkins failed to implement the necessary cyber security controls to protect victims' personally identifiable information.