Home Security Heroes independently tests and reviews every product. We may earn a commission when you buy through our links. Read more here.
Photo by Fili Santillán
Everything about the MOVEit data breach will make you angry.
It has caused millions of dollars in damage to unsuspecting victims who did nothing at all wrong.
Among the victims are public institutions, nonprofits, and schools thrown into chaos because of this callous cyber attack.
And perhaps worst of all – the attack started because of a flaw in a service that was supposed to make things MORE secure.
That’s right – the defenders dropped the ball (more on that later).
We hear about cyber attacks constantly these days. So much that they tend to blend together. Every once in a while, though, a particular attack rises above the rest to capture our collective attention.
MOVEit is one of those attacks.
If you haven’t heard of it yet, you need to be aware (especially since YOU could be a victim).
And if you have heard mention of MOVEit already, it pays to take a deeper dive because this attack has important lessons for everyone.
Spend a few minutes learning about one of 2023’s worst cyber attacks (so far). It might be exactly what keeps you safe when the next attack inevitably arrives.
What is the MOVEit Data breach?
In June, a vulnerability was discovered inside a product called MOVEit that securely transfers files.
The vulnerability was what’s known as a “critical zero-day.”
A “zero-day” is a flaw in a piece of software not known to its developers. When a zero-day is “critical,” that means it gives attackers access to critical parts of the system.
Critical zero days are ripe for attack. Shortly after the vulnerability was announced, the attacks began.
According to Microsoft, the perpetrators were a cybercriminal group called Lace Tempest, known to use Cl0p ransomware. The gang issued a threat to release stolen data unless the companies impacted by the breaches paid a ransom by June 16.
Two days before that deadline, on June 14, the threat actors turned up the pressure by posting the names of companies it had stolen data from on the gang’s darknet website.
That list of names includes everyone from the New York Department of Education, which had the personal data of 45,000 students stolen, and the U.S. Department of Health and Human Services, where the personally identifiable information (PII) of over 100,000 people was taken.
At the time of writing, the attack was still ongoing, with new victims continuing to come forward.
The attack will eventually “end,” and the criminal hackers will retreat into the shadows.
Some 17.5 million people and counting have already had their data stolen. And for all those people, the risk won’t ever go away, even long after the attack is over.
How did one attack snare in so many victims from so many sources? The answer will shock you.
How Did The MOVEit Data Breach Happen?
The MOVEit data breach is a perfect example of a growing type of cyber attack known as a supply chain attack.
You might assume this means an attack on the supply chains that move goods from one place to another. But this refers to a different type of supply chain – the one between a software vendor and all its customers/users.
In a supply chain attack, hackers gain access to a popular tech tool, and then proceed to attack anyone who uses that tool. In this case, criminals found the critical zero-day in MOVEit, which allowed them to break into the software and make changes without attracting attention.
From inside the MOVEit software, the attackers had an entry point into the systems of anyone who used the product. It worked like a Trojan horse: The attacks hid inside something that people trusted and gave special access to because of that trust. Then, when least expected, the attack revealed itself and started doing damage before the defenses could stop it.
Supply chain attacks have become a lot more common lately because they are highly effective. This tactic worked in the case of the MOVEit data breach, as it has in so many previous attacks and as it will in so many future attacks, too.
Everyone needs to be on guard against this frightening strain of cyberattacks.
Photo by Luis Villasmil
What’s Different About the MOVEit Data Breach?
The MOVEit breach is not the most unique, massive, or destructive attack in history by a wide margin. But it still stands out for some interesting and important reasons that tell us something about the future of data breaches and online life.
For one, the MOVEit attack introduces a new spin on ransomware. Previously, hackers would encrypt a company’s data, and then demand a ransom to restore access. In this instance, they never encrypted the data, just stole it and threatened to release it.
Why does that matter?
It matters because ransomware attacks, one of the most destructive forms of cyber chaos ever unleashed, might be getting easier.
Before, hackers had to get the data, encrypt it, then eventually unencrypt it. The MOVEit attack eliminates the last two steps. Rest assured that other attackers will notice, leading to an onslaught of copycat attacks and, unfortunately, a probable uptick in data breaches.
Some of the names on the list of victims also deserve singling out—specifically, Norton LifeLock, which provides identity theft protection services. A security provider’s reputation depends on its strong security posture. So when a provider gets attacked, like Norton LifeLock, it calls into question their commitment and capability regarding security matters.
What does this mean?
It means that consumers like you need to carefully consider your choice of identity theft protection providers and base the decision on more than who advertises the most.
Identity theft protection has never been more critical—the MOVEit breach only confirms that fact. When the biggest names in the industry are getting hacked, it’s important to seek out alternatives rather than completely write off the protection.
There are other identity theft protection services out there that you can consider switching to, such as Aura.
Who are the Victims of the MOVEit Data Breach?
At this point, it’s hard to say for certain who was and wasn’t affected by this data breach. Likewise, if you were a victim, it’s impossible to know how hackers might exploit your personal information.
The waiting and wondering can be agonizing—but since the attack is still ongoing, the details change every day.
That being said, some notable databases have been affected by the MOVEit data breach which may include your information:
- 3.5 million Oregon driver’s license holders
- 6 million Louisiana driver’s license holders
- 770,000 members of California’s Public Employee Retirement System (CalPERS)
- 1.5 million customers of Wilton Reassurance, an insurance provider
- 2.7 million Genworth Finance customers
- And others.
Unfortunately, this may just be the tip of the iceberg.
According to one expert, the MOVEit data breach may have affected most schools in America, putting the data of tens of millions of students and their parents at risk.
Also, it’s unclear how much of the stolen data the hackers have released, as well as how much it will release, who will have access to that data, and what they will do with it.
The hard, frightening fact is this: We can’t know for certain who was a victim, but given the scale of the attack already, everyone should consider their data at RISK.
Treat this like a wake-up call because if your data wasn’t affected in this attack, it would be in a future attack. You won’t be able to see it coming. However, that doesn’t mean you are a sitting duck.
Photo by Bonnie Kittle
What to Do if You are a Victim?
The hackers stole whatever they could from whoever they could as part of this attack.
In practice, that meant stealing personally identifiable information (PII) from individuals, including names, addresses, social security numbers, driver’s licenses, and more.
If you believe you’ve been affected by this breach, err on the side of caution and assume that your most sensitive details are now in the hands of bad people.
And those people are not only willing to exploit your data in whatever ways possible but also eager to sell it to or share it with other bad people willing to do the same.
You would be shocked at what these threat actors can do with just a little of your personal information.
They may be able to open up bank and credit card accounts and make purchases in your name. Or, they can gain access to your existing accounts—banking, email, social media, investments—where anything they do looks like it’s coming from you. These people are as clever as they are motivated. Few things stand in their way.
You would be even more shocked at how bad the identity theft can get for the victims. It’s not just annoying and expensive...it’s absolutely devastating.
There’s one bright spot, though. In a large-scale attack like this, where the perpetrators are trying to make fast money, they will go after the easiest victims first and foremost. Therefore, if you’re harder to hack, you may be ignored in favor of someone else.
It resembles the story of the two antelopes fleeing from the lion. The surviving antelope doesn’t need to be faster than the lion—just faster than the other antelope.
How does that apply in the case of the MOVEit data breach? How do you make yourself harder to exploit, even if criminals already have some (or A LOT) of your private information?
We cover that in the next section, which is the most important part of this entire piece because it covers real-world advice to protect your identity and stay safe online.
Photo by Towfiqu barbhuiya
How to Protect Your Personal Data
More attacks like MOVEit are in progress already, and many more are coming down the pipeline. This problem will get worse (MUCH worse) before it gets better. That’s why we encourage everyone, regardless of whether you were a victim of the MOVEit breach or not, to take the steps outlined below.
You can’t be too cautious online. You also can’t underestimate how many threats are out there. Now that almost all of us put our financial, medical, and personal information online, we put it at risk. Of course, the convenience of the Internet balances out that risk—but it doesn’t reduce the risk.
Only YOU can do that, starting with these steps:
- Change Your Passwords – Data breaches give criminals important clues for how to break into your accounts. It’s also a cybersecurity best practice to periodically change your login credentials. For both reasons, take the time to change the passwords to your most important accounts (email and banking, for sure, Netflix is probably okay, though). Choose strong passwords, and pick a unique password for each account—using a password manager makes both easier.
- Activate 2FA – Two-factor authentication (2FA) asks for your username and password, followed by a second form of authentication: one-time code, personal PIN, phone notification, biometric scan, etc. Enabling 2FA, which is free and easy for most accounts, makes it MUCH harder for anyone except yourself to get in, putting up a roadblock that few, if any, criminals will want to deal with.
- Check for Updates – If you know the MOVEit data breach affects you because of your relationship with one of the hacked companies, check with that company for any updates. They may have essential patches and software updates you need to download or be offering resources that could help. Similarly, check your computer, browser, and personal security software for any updates.
- Monitor Accounts – The weeks and months (and potentially years) after a data breach are when keeping an eye on your accounts is essential. Watch your bank account for withdrawals or transfers, your credit cards for unusual purchases, and your credit report for new accounts. This would also be a prudent time to freeze your credit, making it impossible to open new lines of credit until you unfreeze it.
- Protect Your Identity – Subscribing to an identity theft protection plan like Aura, for example, gives you powerful protections before, during, and after a data breach, including suspicious activity monitoring, identity protection, antivirus, spam removal, and more, all combined into a convenient package. The right provider keeps you far more protected than you ever could be on your own. That way, even if you are involved in a data breach (or another data breach), you may be able to prevent, minimize, or mintage the damage in ways you couldn’t otherwise. The digital world is dangerous. Identity theft protection is quickly becoming a must-have personal safety measure.
Conclusion – The Clock is Ticking
Even though the MOVEit data breach hasn’t ended yet, it will soon be overshadowed by the next major data breach. It’s a question of when, not if, people will have their personal data exposed.
The clock is ticking on the next attack. That’s not all, though. The clock is also ticking on the next time someone attempts to access your accounts, posts your data for sale on the dark web, or targets you for a phishing scheme. It’s a constant threat that calls for constant protection.
✎ Related Article: Biggest Data Breaches in US History ➔
Last Updated on