Big data breaches come with big cost. You probably already know that, but are you really keeping up with the numbers? As of August 25, 2023, the average cost of a data breach for the year was calculated to be $4.45 million. That’s up 15% compared to 2020.
But remember, that’s the average. At the high end, if a large organization loses 50 million or more records, the cost tops $300 million. It’s no surprise that the same IBM study found that 51% of organizations are planning increased investment in cybersecurity.
The MOVEit breach
When a Russian ransomware group called Cl0p exploited a vulnerability in Progress Software’s MOVEit enterprise file transfer utility, beginning in May 2023, they were able to steal and hold hostage vast amounts of data. The attack is still unfolding, with Cl0p announcing new victims frequently, but this incident is already on track to become the most catastrophic and costly data breach in recent history.
Victims of the MOVEit breach
More than 2,500 organizations so far have reported being attacked, affecting the data of more than 67 million individuals.
- BORN Ontario, a registry of infants and people seeking pre- and post-natal care, lost data of 3.4 million individuals, including records from 2010 to 2023.
- Maximus, a massive U.S. government services contractor, lost the personal data of between 8 million and 11 million individuals, including Social Security numbers and health data.
- Pôle Emploi, the French government employment agency, lost the data of as many as 10 million individuals.
- U.S. Dept. of Justice and Pentagon suffered a breach of 632,000 email accounts.
Those are just some of the top victims to emerge so far. Many millions of other individual records have also been stolen in this breach.
Lessons from the breach
Like other recent large-scale breaches, this one involves the compromise of a very widely used piece of software that no one thinks about much — it’s just a part of the infrastructure that securely and reliably moves protected files around as needed.
Because MOVEit is so widely used, a single attack was able to affect a very wide variety of target organizations.
From state and federal agencies, pension funds, state DMVs, financial services firms, nonprofits, and other organizations, the total amount of personally identifying information taken in this breach is breathtaking.
Some victims have received ransom demands to prevent public exposure of their data, and some have paid. No doubt many are closely rereading their cyber-insurance policies.
Protection against these types of attacks
Defending against a zero-day exploit like the MOVEit Breach can be challenging, but you can reduce risks by building a comprehensive, integrated security infrastructure. An advanced web-application-and-API-protection (WAAP) platform like Barracuda Application Protection can help uncover and mitigate some risks from software supply chains and third-party applications.
Part of what’s driving the huge reach of this breach is the complexity of modern software supply chains. Around a third of known victims were impacted via third parties or by subcontractors, contractors, and vendors. And the full spread of effects is yet to be understood.
Redesigning and rebuilding software procurement and development processes to optimize security up and down the supply chain is a major challenge, but the benefits in terms of exposure to cyber risk makes it worth it for many organizations.