The Breach: Scope and impact
The University System of Georgia (USG) notified 800,000 people about data breaches during the 2023 Clop MOVEit attacks. USG is a state government body that oversees 26 public colleges and universities in Georgia, serving approximately 340,000 students. USG, which controls the state's higher education institutions, revealed that 800,000 people's info was exposed in late May due to the Cl0p ransomware operation's massive MOVEit file transfer system hack.
Attack Vector: MOVEit file transfer software
The Clop ransomware group used a zero-day vulnerability in Progress Software's MOVEit Secure File Transfer product in late May 2023 to launch a major global data theft campaign.
Clop Gang: Data exfiltration and ransom demand
When the threat group launched its extortion phase in the MOVEit attacks, which affected hundreds of organizations worldwide, USG was one of the first to be identified as hacked. Almost a year later, with the assistance of the FBI and CISA, the USG discovered that Clop had stolen sensitive material from its networks and began informing affected individuals.
What kind of info compromised?
According to USG notice, the data breach notifications were made between April 15 and April 17, 2024, telling recipients that hackers obtained the following info:
- Full or partial (last 4 digits) Social Security Number
- Date of Birth Bank account number(s)
- Federal income tax documents with Tax ID number
Russian malware: Clop alert
The Russian-affiliated ransomware group Clop is suspected of being behind the attacks, which have affected over 2,500 businesses worldwide, with more than 80% situated in the United States. The Aftermath: Challenges and Responses Because the number of impacted individuals exceeds the number of USG students, and given the nature of the material, the incident is likely to touch former students, academic staff, contractors, and other personnel.
The firm sent a sample of the data breach notice to the Maine Attorney General's Office Friday, claiming that the issue affects 800,000 persons. Finally, the listing on Maine's site mentions a driver's license number or ID card number as accessible data categories, yet these are not listed in the notification.
Mitigation Efforts
USG now gives impacted persons 12 months of identity protection and fraud detection services through Experian, with an enrollment deadline of July 31, 2024. Clop's MOVEit cyber attacks were among the most effective and widespread extortion campaigns in recent history.
Almost a year later, companies are still discovering, confirming, and disclosing breaches, extending the impact. Emsisoft's MOVEit victim counter indicates 2,771 impacted companies and approximately 95 million individuals whose personal information is stored on Clop's servers.