IOTW: A full timeline of the MOVEit cyber attack

Note: This article is being continously updated to add further information and dates to the timeline.

Ransomware gang Clop, which has taken responsibility for the cyber attack launched against document transfer service MOVEit, has announced that it has not stolen data from companies thought to be impacted by data breaches linked to the attack. These companies include the UK’s British Broadcasting Company (BBC), British Airways and high street health and beauty retailer Boots.

Since June 14, Clop has been posting company profiles of companies allegedly impacted by data breaches caused by the cyber attack against MOVEit. These posts are an attempt to pressure victims into paying a ransom to the gang. So far, the names, company addresses and websites of almost 50 victims have been added to the site, but no confidential data has yet been leaked.

Of the companies named on the site, prominent British companies thought to have had data stolen during the breach of payroll provider Zellis – including the BBC, BA and Boots – were not included.

In emails exchanged with the BBC, Clop claimed to have never had access to this data, saying they even told Zellis that they had not breached these companies.

“We don't have that data and we told Zellis about it. We just don't have it. We are an old group and have never deceived anyone, if we say that we do not have information, then we do not have it,” the gang told the BBC.

When asked by the BBC for more information on the breach, Zellis said it could “confirm that a small number of [its] customers have been impacted by this global issue and [the company is] actively working to support them”.

How did the MOVEit cyber attack happen?

The cyber attack against MOVEit saw ransomware gang Clop exploit a critical zero-day vulnerability in MOVEit’s infrastructure. This allowed the malicious actors to break into multiple company networks and steal data. 

The vulnerability was flagged by security researchers and the US government on June 1. The US Cybersecurity and Infrastructure Security Agency (CISA) urged all MOVEit clients to check for indications that malicious actors had gained unauthorized access to their networks over the past 30 days and to download and install the software patch released by MOVEit to address the issue.   

On June 5, payroll provider Zellis announced that it had been affected by the MOVEit cyber attack, and that a “small number” of its customers had suffered data breaches as a result of this. These victims were originally thought to include the BBC, Boots and BA, however on June 21 Clop claimed that they never had access to this data.

A number of victims, including accounting firm PwC, British watchdog Ofcom and Health Service Ireland made statements in the days and weeks following the cyber attack that they had suffered a data breach linked to it.

Ransomware gang Clop later took ownership of the cyber attack by attempting to exploit its victims. In a post on the gang’s Telegram channel, the malicious actors demanded victims pay them by June 14, or their data would be released.

Starting from this day, they released information including company names, address and websites on their darknet site in an attempt to convince the victims to contact them and pay them money to not release their data.

A timeline of the MOVEit cyber attack

June 1: MOVEit’s vulnerability is flagged by cyber security researchers and the US government. MOVEit issues a patch for the software vulnerability.

June 5: Payroll provider Zellis announces that it was impacted by the MOVEit cyber attack. Companies including the BBC, Boots and British Airways suffer data breaches as a result.

June 7: Ransomware gang Clop issues a threat to victims to contact them by June 16, or their data will be posted online.

June 7: CISA and the FBI announces a US$10 million reward for “information linking the Clop gang or any other malicious cyber actors targeting US critical infrastructure to a foreign government”.

June 8: Professional services network and accounting firm, Ernst & Young (EY) announces that it was impacted by the MOVEit cyber attack. As a result, Health Service Ireland (HSE) suffered a data breach.

June 12: British communications watchdog Ofcom announces that it was a victim of the MOVEit cyber attack, causing a data breach that affected 412 employees.

June 14: Clop begins to post the profiles of companies allegedly breached during the cyber attack launched against MOVEit on its data leak website. Clop does not leak any of the stolen data.

June 15: CISA announces it is working with "multiple [US] federal agencies" that have been impacted by the MOVEit cyber attack. Affected agencies include two Department of Energy entities.

June 19: Accounting firm PriceWaterhouseCoopers (PwC) announces it was impacted by the MOVEit cyber attack

June 21: Clop claims to not have access to data from the BBC, Boots and BA that was thought to be stolen in the MOVEit cyber attack 

June 23: PBI Research Services announces that the data of 4.75 million people was stolen from three of its clients (Genworth Financial, Wilton Reassurance and California Public Employees' Retirement System (CalPERS)) because of the MOVEit cyber attack. Data stolen during the breach includes social security numbers, names, dates of birth and zip codes.

June 26: The New York Department of Education announced that the personal data of 45,000 New York City students was stolen in the cyber attack against MOVEit.

June 27: Seimens Energy and Schneider Electric both state they have been affected by the MOVEit cyber attack. Seimens says "no critical data [was] compromised" during the breach of its systems. Schneider Electric announces that, once it was made aware of the breach, it "promptly deployed available mitigations to secure data and infrastructure" and that its cyber security team is "currently investigating" the cyber attack.

June 29: The US Department of Health and Human Services notifies congress that is has been imoacted by the MOVEit cyber attack. The data of more than 100,000 people may been accessed during the data breach.

June 30: Union Bank and Trust notifies its custimers that it has been affected by the MOVEit cyber attack. The sensitive information of its customers was accessed during the attack.

July 2: Management consulting company Aon announces that it has been impacted by the breach. Effects of this includes the leak of "data relating to some employees’ pay and benefits" of almost 2,000 staff at Dublin Airport.

July 10: Clop threatens to leak a compressed 260GB dataset stolen from financial services company, Ameritrade, during the cyber attack.

July 11: Clop issues a threat to all victims of the cyber attack, warning them to not waste their time and pay the ransom, or their data will be posted online.

July 11: A number of banks and financial service providers, including 1st Source Bank, Deutsche Bank AG and ING annouce that customer information was compromised due to the MOVEit attack. Other service providers, including hotels, hospitals and those in the oil and gas industry, also announce data breaches.

July 12: Officials in Nova Scotia, Canada, decide that those impacted by the cyber attack will not recieve free credit monitoring or fraud protection services due to the attack carrying “a very low risk of identity theft or fraud.”

July 12: The number of organizations impacted by the MOVEit cyber attack hits 287. While only 50 of these organizations have made public the number of people impacted by their data breaches, the number of individuals affected reaches 18,154,787.

July 12: Multiple lawsuits are launched against Johns Hopkins University and Johns Hopkins Health System regarding the MOVEit-related data breach it suffered. The lawsuits allege that Johns Hopkins failed to implement the necessary cyber security controls to protect victims' personally identifiable information.

July 26: The number of organizations affected by the MOVEit cyber attack reaches 455. Over 23 million people have their details exposed by subsequent data breaches. It is estimated that those responsible for the breach could make more than $100 million off the attack.

August 5: Clop uses torrents to release data stolen during the cyber attack. The gang posts instructions on how to download the data by using torrent clients on a Tor site, as well as providing magent links for 20 victims.

August 8: Cyber security experts, including IT analyst Bert Kondruss and cyber security firm Emsisoft, announce that the MOVEit cyber attack has impacted more than 600 organizations and approximately 35-40 million individuals.

August 10: Clop threatens to release the data of all companies which have not yet paid the ransom for said stolen data by August 15.

August 25: The number of victims of the MOVEit cyber attack reaches 951 organizations and 48.8 to 53.7m individuals.

August 30: Emsisoft and KonBriefing Research report that more than 1,000 organizations have been impacted. Estimations for the total number of victims of the MOVEit cyber attack range between 1,011-1,053 organizations and 49-60.6 million indivduals.

September 7: KonBriefing research updates the victim count of the MOVEit cyber attack to 1132 organizations and 53.8 to 58.6m individuals.

September 26: The victim count of the MOVEit cyber attack is raised to 2040 organizations and 55.7 to 60.6 million individuals by KonBriefing.

October 4: The amount of people affected by the MOVEit cyber attack is estimated to be more than 2200 organizations and around 60-65 million individuals.

October 11: KonBriefing updates the victim count of the MOVEit cyber attack to 2274 organizations and 62.5-67.4 million individuals.

October 30: A Freedom of Information request reveals that the email addresses of 630,000 federal government employees have been breached, including those belonging to staff working for the Department of Justice, the Air Force and the US Army.