Introduction

In May 2023 [4] [6] [9], a significant data breach occurred due to a vulnerability in the MOVEit Transfer software, affecting major organizations such as Amazon and HSBC. This breach, linked to the Cl0p ransomware group [2], exposed sensitive employee data on the dark web, highlighting the persistent cybersecurity risks associated with third-party software.

Description

A hacker operating under the pseudonym “Nam3L3ss” has leaked sensitive employee data from major organizations, including Amazon and HSBC [1] [7], on a dark web hacker forum [5], specifically BreachForums. This breach is linked to a critical vulnerability in the MOVEit Transfer software, tracked as CVE-2023-34362 [5] [6], which was first exploited in May 2023 by the Cl0p ransomware group. The vulnerability, characterized by a critical SQL injection flaw, allowed attackers to bypass authentication and access secure files [2], resulting in a significant data breach that affected over 95 million individuals across various sectors, including finance, healthcare [2], government [2], and retail [2], as reported by antivirus company Emsisoft [3].

The incident involved data from 25 organizations, leading to an estimated five million records being compromised. The leaked structured data primarily consists of employee contact information [6], including names [4] [8], work email addresses [3] [5] [6] [8] [10], desk phone numbers [3] [4] [5] [6] [9] [10], job titles [1] [4] [8], personnel numbers [3] [4] [5] [6] [8] [9] [10], cost center numbers [8], and information about supervisors [8], as well as organizational structures and building locations. An Amazon spokesperson confirmed that the compromised information does not include sensitive details like social security numbers or financial data, emphasizing that the breach originated from a third-party property management vendor, not from Amazon’s own systems. However, sensitive details regarding organizational roles and department assignments were included [11], posing significant risks as this information could facilitate targeted phishing campaigns and social engineering attacks.

Nam3L3ss has emerged on cybercrime forums [2], documenting and distributing data from the MOVEit breach [2]. Rather than exploiting the vulnerability directly [2], they have been downloading and organizing databases exposed by Cl0p and other operators [2], labeling each dataset with DataSource: MOVEit and DataDate: 2023-05-31 [2], indicating the information’s origin from Cl0p’s exploitation of the MOVEit vulnerability [2]. Nam3L3ss has indicated that this release represents only a small portion of the total data in their possession, claiming that numerous additional releases are forthcoming. They have also warned of an archive exceeding 250TB containing entire databases from various sources [7], including MySQL, PostgreSQL [7], SQL Server [7], and Azure databases [7].

While Amazon customer data was not affected by the MOVEit breach [7], the incident underscores ongoing security risks associated with third-party suppliers [7]. Experts emphasize that third-party software remains a significant cybersecurity risk for organizations [7], highlighting the vulnerability of data in any location it resides. This situation serves as a reminder for organizations to enhance their supply chain resilience and implement robust cybersecurity measures [7], particularly regarding swift patch management to protect against exploits in commonly used applications like MOVEit [2]. The ongoing impact of the MOVEit vulnerability and the meticulous curation of data by individuals like Nam3L3ss serve as a critical reminder of the importance of strong security measures across software platforms and third-party services [2], as stolen data rarely disappears once it is on the dark web [7]. The reputational damage from such incidents could undermine public trust and raise questions about the data security measures in place at these high-profile companies [1].

Conclusion

The MOVEit data breach serves as a stark reminder of the vulnerabilities inherent in third-party software and the potential for significant data exposure. Organizations must prioritize enhancing their cybersecurity frameworks, particularly in managing third-party risks and ensuring timely software updates. The incident underscores the need for vigilance and proactive measures to safeguard sensitive information, as the repercussions of such breaches can be long-lasting and damaging to public trust.

References

[1] https://socradar.io/moveit-data-leak-exposes-employee-data-of-amazon-hsbc-more-what-you-need-to-know/
[2] https://foresiet.com/blog/inside-the-moveit-breach-how-cl0p-and-nam3l3ss-expose-organizations-to-ongoing-cyber-threats
[3] https://www.siliconrepublic.com/enterprise/amazon-employee-data-stolen-hack-moveit-breach
[4] https://cybersecuritynews.com/moveit-0-day-employee-data-stolen/
[5] https://www.techtarget.com/searchsecurity/news/366615576/Amazon-employee-data-leaked-from-MoveIt-Transfer-attack
[6] https://www.itpro.com/security/data-breaches/amazon-confirms-employee-data-compromised-in-2023-moveit-breach-but-the-hacker-behind-the-leak-claims-a-host-of-other-big-tech-names-are-also-implicated
[7] https://www.forbes.com/sites/daveywinder/2024/11/13/was-amazon-hacked-are-your-password-and-credit-card-compromised/
[8] https://www.heise.de/en/news/MOVEit-Transfer-Stolen-data-from-Amazon-and-Co-is-for-sale-10025742.html
[9] https://www.secureworld.io/industry-news/amazon-breach-ripple-moveit
[10] https://www.techradar.com/pro/amazon-confirms-employee-data-stolen-after-third-party-moveit-breach
[11] https://www.infosecurity-magazine.com/news/amazon-moveit-leaker-claims/