Featured Article

MOVEit, the biggest hack of the year, by the numbers

At least 60 million individuals affected, though the true number is far higher

Comment

colorful numbers on a blue red and white background
Image Credits: Frank Ramspott / Getty Images

The mass-exploitation of MOVEit Transfer software has rapidly cemented itself as the largest hack of the year so far. While the full impact of the attack will likely remain untold for months to come, there are now more than 1,000 known victims of the MOVEit breach, according to cybersecurity company Emsisoft.

This milestone makes the MOVEit breach not just the largest hack of 2023 — but also one of the largest in recent history.

The fallout began in May when Progress disclosed a zero-day vulnerability in MOVEit Transfer, its managed file transfer service used by thousands of organizations around the world to move large amounts of often-sensitive data over the internet. The critical-rated vulnerability allowed attackers — specifically the notorious Clop ransomware and extortion gang — to raid MOVEit Transfer servers and steal customers’ sensitive data stored within.

Since then, Clop’s attacks and threats to publish the stolen data if it doesn’t receive payments have continued unabated, as have the number of known victim organizations, known impacted individuals and the costs associated with the fallout.

We take a look at the MOVEit mass hack by the numbers.

60,144,069

Just as the number of known victim organizations crossed the 1,000 milestone on August 25, the number of impacted individuals also surpassed the 60 million mark.

This figure, published by Emsisoft, is sourced from state breach notifications, SEC regulatory filings and other public disclosures. Emsisoft notes that while there will invariably be some overlap in terms of individuals impacted, the number is only likely to increase as more organizations continue to confirm MOVEit-related data breaches.

83.9%

U.S.-based organizations account for 83.9% of known MOVEit corporate victims, according to Emisoft’s researchers. Organizations in Germany account for about 3.6% of total victims, followed by Canadian companies at 2.6% and firms in the United Kingdom at 2.1%.

11 million

In July, U.S. government services contracting giant Maximus became the largest victim of the MOVEit breach after confirming that hackers accessed the protected health information — including Social Security numbers — of as many as 11 million individuals. The Virginia-based firm said at the time that it had not yet determined the exact number of individuals affected.

The scale of this incident is closely followed by the compromise of the French government’s unemployment agency, Pôle emploi, which recently confirmed a breach impacting the personal data of up to 10 million people. This makes the French agency the second-largest known victim of the mass-hack.

Rounding out the top five MOVEit victims list is the Louisiana Office of Motor Vehicles (6 million). Colorado Department of Health Care Policy and Financing (4 million) and the Oregon Department of Transportation (3.5 million).

30.86%

About one-third of hosts running vulnerable MOVEit servers at the time the mass-hacks began belonged to financial service-related organizations, according to security analysis firm Censys.

The report, which analyzed 1,400 MOVEit servers that were openly accessible on the internet, found that 15.96% of hosts were associated with the healthcare sector, 8.92% were linked to information technology organizations and 7.5% were attributed to government and military entities.

$9,923,771,385

This is the estimated total cost of the MOVEit mass-hacks so far. The number is based on IBM data, which found the average data breach last year cost $165, coupled with the number of individuals confirmed to have been impacted.

However, as noted by Emsisoft, only a handful of corporate victims have so far reported the number of individuals known to be affected. Emsisoft said that if the number was scaled, the cost would be at least $65 billion to date.

2021

Researchers believe that Clop may have been sitting on its MOVEit exploit as far back as 2021. U.S. risk consulting firm Kroll said in a report that while news of the vulnerability first emerged in late May, Kroll researchers identified activity indicating that Clop had been experimenting with exploiting this vulnerability for almost two years.

“It appears that the Clop threat actors had the MOVEit Transfer exploit completed at the time of the GoAnywhere event and chose to execute the attacks sequentially instead of in parallel,” Kroll states.

$10,000,000

The U.S. State Department offered a $10 million bounty related to information on the Clop ransomware group after records from a number of department’s entities were compromised in the MOVEit breach.

The Department of Energy confirmed to TechCrunch that two of its entities were among those breached.

$100,000,000

This is how much money Clop could earn from the MOVEit mass-hacking campaign, according to ransomware recovery company Coveware, with that sum derived from just a small handful of victims who gave into the hackers’ demands and paid significant ransom payments.

“This is a dangerous and staggering sum of money for one, relatively small group to possess. For context, this amount is larger than the annual offensive security budget of Canada,” said Coveware.

Zero

This is the amount of government data that Clop claims to hold on government, city or police services. In a post on its dark web leak site, the gang said it would “do the polite thing” and delete all government-related data. Clop has not provided evidence for this claim, nor has TechCrunch been able to verify its claim. “We are only financial [sic] motivated,” the hackers wrote.

The MOVEit mass hacks hold a valuable lesson for the software industry

More TechCrunch

WhatsApp is updating its mobile apps for a fresh and more streamlined look, while also introducing a new “darker dark mode,” the company announced on Thursday. The messaging app says…

WhatsApp’s latest update streamlines navigation and adds a ‘darker dark mode’

Plinky lets you solve the problem of saving and organizing links from anywhere with a focus on simplicity and customization.

Plinky is an app for you to collect and organize links easily

The keynote kicks off at 10 a.m. PT on Tuesday and will offer glimpses into the latest versions of Android, Wear OS and Android TV.

Google I/O 2024: How to watch

For cancer patients, medicines administered in clinical trials can help save or extend lives. But despite thousands of trials in the United States each year, only 3% to 5% of…

Triomics raises $15M Series A to automate cancer clinical trials matching

Welcome back to TechCrunch Mobility — your central hub for news and insights on the future of transportation. Sign up here for free — just click TechCrunch Mobility! Tap, tap.…

Tesla drives Luminar lidar sales and Motional pauses robotaxi plans

The newly announced “Public Content Policy” will now join Reddit’s existing privacy policy and content policy to guide how Reddit’s data is being accessed and used by commercial entities and…

Reddit locks down its public data in new content policy, says use now requires a contract

Eva Ho plans to step away from her position as general partner at Fika Ventures, the Los Angeles-based seed firm she co-founded in 2016. Fika told LPs of Ho’s intention…

Fika Ventures co-founder Eva Ho will step back from the firm after its current fund is deployed

In a post on Werner Vogels’ personal blog, he details Distill, an open-source app he built to transcribe and summarize conference calls.

Amazon’s CTO built a meeting-summarizing app for some reason

Paris-based Mistral AI, a startup working on open source large language models — the building block for generative AI services — has been raising money at a $6 billion valuation,…

Sources: Mistral AI raising at a $6B valuation, SoftBank ‘not in’ but DST is

You can expect plenty of AI, but probably not a lot of hardware.

Google I/O 2024: What to expect

Dating apps and other social friend-finders are being put on notice: Dating app giant Bumble is looking to make more acquisitions.

Bumble says it’s looking to M&A to drive growth

When Class founder Michael Chasen was in college, he and a buddy came up with the idea for Blackboard, an online classroom organizational tool. His original company was acquired for…

Blackboard founder transforms Zoom add-on designed for teachers into business tool

Groww, an Indian investment app, has become one of the first startups from the country to shift its domicile back home.

Groww joins the first wave of Indian startups moving domiciles back home from US

Technology giant Dell notified customers on Thursday that it experienced a data breach involving customers’ names and physical addresses. In an email seen by TechCrunch and shared by several people…

Dell discloses data breach of customers’ physical addresses

Featured Article

Fairgen ‘boosts’ survey results using synthetic data and AI-generated responses

The Israeli startup has raised $5.5M for its platform that uses “statistical AI” to generate synthetic data that it says is as good as the real thing.

4 hours ago
Fairgen ‘boosts’ survey results using synthetic data and AI-generated responses

Hydrow, the at-home rowing machine maker, announced Thursday that it has acquired a majority stake in Speede Fitness, the company behind the AI-enabled strength training machine. The rowing startup also…

Rowing startup Hydrow acquires a majority stake in Speede Fitness as their CEO steps down

Call centers are embracing automation. There’s debate as to whether that’s a good thing, but it’s happening — and quite possibly accelerating. According to research firm TechSci Research, the global…

Retell AI lets companies build ‘voice agents’ to answer phone calls

TikTok is starting to automatically label AI-generated content that was made on other platforms, the company announced on Thursday. With this change, if a creator posts content on TikTok that…

TikTok will automatically label AI-generated content created on platforms like DALL·E 3

India’s mobile payments regulator is likely to extend the deadline for imposing market share caps on the popular UPI (unified payments interface) payments rail by one to two years, sources…

India likely to delay UPI market caps in win for PhonePe-Google Pay duopoly

Line Man Wongnai, an on-demand food delivery service in Thailand, is considering an initial public offering on a Thai exchange or the U.S. in 2025.

Thai food delivery app Line Man Wongnai weighs IPO in Thailand, US in 2025

The problem is not the media, but the message.

Apple’s ‘Crush’ ad is disgusting

Ever wonder why conversational AI like ChatGPT says “Sorry, I can’t do that” or some other polite refusal? OpenAI is offering a limited look at the reasoning behind its own…

OpenAI offers a peek behind the curtain of its AI’s secret instructions

The federal government agency responsible for granting patents and trademarks is alerting thousands of filers whose private addresses were exposed following a second data spill in as many years. The…

US Patent and Trademark Office confirms another leak of filers’ address data

As part of an investigation into people involved in the pro-independence movement in Catalonia, the Spanish police obtained information from the encrypted services Wire and Proton, which helped the authorities…

Encrypted services Apple, Proton and Wire helped Spanish police identify activist

Match Group, the company that owns several dating apps, including Tinder and Hinge, released its first-quarter earnings report on Tuesday, which shows that Tinder’s paying user base has decreased for…

Match looks to Hinge as Tinder fails

Private social networking is making a comeback. Gratitude Plus, a startup that aims to shift social media in a more positive direction, is expanding its wellness-focused, personal reflections journal to…

Gratitude Plus makes social networking positive, private and personal

With venture totals slipping year-over-year in key markets like the United States, and concern that venture firms themselves are struggling to raise more capital, founders might be worried. After all,…

Can AI help founders fundraise more quickly and easily?

Google has found a way to bring a variation of its clever “Circle to Search” gesture to iPhone users. The new interaction, launched in January, allows Android users to search…

Google brings a variation on ‘Circle to Search’ to iPhone users

A new sculpture going live on Wednesday in the Flatiron South Public Plaza in New York is not your typical artwork. It combines technology, sociology, anthropology and art to let…

Always-on video portal lets people in NYC and Dublin interact in real time

Apple’s iPad event had a lot to like. New iPads with new chips and new sizes, a new Apple Pencil, and even some software updates. If you are a big…

TechCrunch Minute: When did iPads get as expensive as MacBooks?