MOVEit victim count latest: 2.6K+ orgs hit, 77M+ people’s data stolen

Quick show of hands: whose data hasn’t been stolen in the mass exploitation of Progress Software’s vulnerable MOVEit file transfer application? Anyone?

According to security shop Emsisoft, 2,620 organizations and more than 77 million individuals have been impacted to date, with millions in the past week alone have received notifications that their info was either accessed, leaked, or both after the Russian ransomware gang Clop exploited a security hole in MOVEit back in May to steal files from compromised instances.

Embarrassingly antivirus biz Avast is among these new-ish victims, which recently disclosed the crooks accessed some “low-risk customer personal information.” 

“We take this seriously and are notifying impacted customers and offering dark web monitoring services free of charge,” the developer xeeted on October 25. 

That free dark-web monitoring likely came in handy to the 3 million customers whose info has reportedly been leaked on a hacking forum.

According to the UK’s Times, the information posted “is primarily limited to name and/or contact information, as well as information on the product you purchased from us. No banking details, credit card numbers or high-risk data such as login information or account details were taken.” 

An Avast spokesperson declined to answer specific questions about the breach, though sent The Register the following statement:

Not one to let an opportunity to up-sell slip by, the org recommended that affected customers also pay for an enhanced security service. As expected, users aren’t too happy with Avast’s “shameless marketing tactics” and took to a web forum to voice their complaints.

“I received an email today about Avast customer data being leaked on the dark web. In the email, Avast recommends signing up for an additional paid service,” one user noted. 

According to another customer:

It appears the old adage that one person’s breach is another’s business opportunity rings true.

Millions more patients’ data stolen

In more MOVEit news, Welltok, which provides patient communication services for healthcare providers across the US, has been busy notifying patients that their supposedly private healthcare data really isn’t.

The Virgin Pulse-owned company has sent notification letters to more than 1.6 million patients alerting them that their names, addresses, dates of birth, and health information may have been stolen by miscreants abusing MOVEit, according to a November 18 filing with the Maine Attorney General’s office.

Specifically, this information belonged to people with group health plans from Stanford Health Care, Stanford Health Care, Lucile Packard Children’s Hospital Stanford, Stanford Health Care Tri-Valley, Stanford Medicine Partners, and Packard Children’s Health Alliance.

Welltok did not immediately respond to The Register‘s request for comment.

In a letter sent to those affected patients, Welltok says it first learned that its MOVEit instance had been compromised back in July, after it had “previously installed all published patches and security upgrades immediately upon such patches being made available by Progress Software.” [PDF]

Things basically got worse from there on out.

By August, it determined criminals had, in fact, managed to “exfiltrate certain data,” and in October Welltok began notifying Sutter Health patients that their personal information may have been accessed. 

Sutter provides health care to more than three million people in northern California.

Welltok also provides patient data communications for Michigan’s Corewell Health as well as its Priority Health lifestyle portal, and a ton of those patients also were hit by the MOVEit breach.

Last week, Welltok said about one million Corewell Health patients and 2,500 Priority Health members were impacted. For Priority Health members stolen data included name, address and health insurance identification number. Corewell Health patients’ may have had their names, dates of birth, email addresses, phone numbers, diagnosis, health insurance information and Social Security numbers exposed.

Also last week, Welltok notified 89,556 patients of St. Bernards Healthcare that their data may have been compromised in the MOVEit fiasco. 

“The information accessed by the unknown actor may have included, depending on the individual, their name, address, date of birth, social security number, email address, phone number, patient identification number, health insurance information, provider’s name, and medical treatment or diagnosis information,” according to the Arkansas-based health care provider. ®

READ MORE HERE