800,000 exposed in MOVEit attack in 2023

The University System of Georgia (USG) is sending data breach notifications to 800,000 people whose data was exposed in the 2023 Clop MOVEit attacks.

USG is a state government agency that operates 26 public colleges and universities in Georgia, serving over 340,000 students.

The Clop ransomware gang exploited a zero-day vulnerability in Progress Software’s MOVEit Secure File Transfer solution to conduct a massive global data theft campaign in late May 2023.

When the threat group began its extortion phase as part of the MOVEit attacks, which affected thousands of organizations worldwide, USG was among the first to be listed as compromised.

Nearly a year later, USG, with help from the FBI and CISA, determined that Clop had stolen confidential files from its systems and began notifying those affected.

The data breach notifications were sent between April 15 and 17, 2024, informing recipients that the cybercriminals had accessed the following information:

• Full or partial (last four digits) Social Security Number
• birth date
• Bank account number(s)
• Federal income tax documents with tax ID number

Given that the number of individuals affected is greater than the number of students under the USG, and given the nature of the information, the incident is likely to also affect former students, academic staff, contractors and other personnel.

The organization submitted a sample data breach notification to the Maine Attorney General’s Office yesterday and said the data breach affected 800,000 people.

Additionally, the entry on the Maine portal lists a driver’s license number or ID card number as disclosed data types, although these are not mentioned in the notice.

USG is now offering 12 months of identity protection and fraud detection services to affected individuals through Experian, with recipients having until July 31, 2024 to sign up.

Clop’s MOVEit attacks were one of the most successful and productive extortion operations in recent history. More than a year after they occurred, organizations are still discovering, confirming and disclosing breaches, prolonging the aftermath.

Emsisoft’s dedicated MOVEit victim count lists 2,771 affected organizations and nearly 95 million individuals whose personal data resides on Clop’s servers.

Some of this data was published on Clop’s blackmail portal on the dark web, some was sold to cybercrime groups, and some has yet to be monetized in the future.