In June of 2023, a popular file-sharing software amongst big-name companies, like Shell, Siemens Energy, Sony, several large law firms, and a number of US federal agencies, was hacked by the Russian-linked cybercrime group, “Cl0p.” Initially, there were 138 known companies impacted by the breach, resulting in the personal information of more than 15 million people being compromised. As of October 18, 2023, over 2,500 organizations were affected and more than 66 million individuals.
Even though many of these companies have cybersecurity budgets in the millions, they were still affected by the breach due to a piece of software they use to run their business.
How did the MOVEit breach happen?
Progress Software’s “MOVEit,” is advertised as a tool to “securely share files across the enterprise and globally,” “reduce the risk of data loss” and “assure regulatory compliance;” however, it was exploited by a tactic called a zero-day attack . This occurs when there is a flaw in the application that creates a gap in security and has no available patch or defense because the software maker doesn’t know it exists. Cybercriminals quickly release malware to exploit the vulnerability before the software maker can patch it, essentially giving them “zero days” to respond.
These attacks are difficult to prevent and can quickly and easily ruin smaller businesses. Depending on the organization’s motives, the stolen data can be deleted, held for ransom, or sold on the dark web . If the data is able to be recovered, companies might still end up paying out thousands or more in fines and lawsuits, losing money from downtime and coming out on the other end with a damaged reputation that causes clients to leave anyway. In MOVEit’s case, the cybercrime agency, Cl0p, has claimed on their website that their motivation was purely financial and has allegedly deleted data obtained from government agencies, as they were not the intended targets.
What does this mean for small businesses?
For starters, it underlines the harsh reality that cybersecurity isn’t just the concern of big businesses and government agencies. In fact, small businesses can be more vulnerable to cyberattacks, as they often dedicate fewer resources to protection.
It also means that even if an organization is secure, the third-party vendors they work with and the tools they use in their business still pose potential risks. Even if MOVEit’s affected customers had strong cybersecurity measures in place, those companies still must go back to their clients, disclose what happened and face the verbal, legal and financial repercussions that comes with a data breach.
The MOVEit hack serves as a grim reminder of the critical importance of cybersecurity for businesses of all sizes. In the face of an increasingly sophisticated and fast-moving cyberthreat landscape, businesses cannot afford to ignore these risks. Cybersecurity must be an ongoing effort, involving regular assessments, updates, monitoring, training and more. As this incident shows, a single vulnerability can lead to a catastrophic breach with severe implications for the business and its customers.
Want to learn more about how to protect your business from cyber threats?