MOVEit breach implications go from bad to worse

The systemic attack on Progress Software’s MOVEit file transfer software is one of the most catastrophic in recent memory. The vulnerability was initially disclosed by Progress on 31 May 2023. Over the following months, the true depth and severity of the breach became apparent.

At the time of writing, almost 700 companies, from more than 30 countries, are known to have been impacted. The full scale of the cumulative breaches is unknown, but some analysts estimate the personal data of over 100 million individuals has been compromised, with the US being hit harder than most.

The MOVEit vulnerability enabled attackers to leverage SQL injection on public-facing servers. The attack uses a custom web shell (LemurLoot) that is disguised as legitimate ASP.NET files to access sensitive data. Although the attack is believed to have begun in May 2023, subsequent risk analysis has indicated Clop, the entity responsible for the attack, had been aware of the vulnerability and experimenting with ways to exploit it for almost two years.

The list of victims continues to grow, with some high-profile organisations suffering data losses. In Australia, the nation’s largest private health insurer, Medibank, is feeling the effects of a second major incident. Global professional services firms EY and PwC are amongst the businesses effected, as are several banking and government institutions in Canada and the US. No industry appears to have escaped, with healthcare, financial services, manufacturing, energy, eCommerce, automotive and logistics companies all reporting breaches.

In the UK, some of the biggest names in the business have been hit, including the BBC, British Airways, Boots the Chemist, Deloitte, and the Office of Communications (Ofcom). In the US, where over 500 organisations have been targeted, a significant number of academic institutes were impacted, plus state and central government agencies.

 

The importance of secure file sharing in a hybrid world

In the years since the COVID-19 pandemic, most businesses have settled into a hybrid working environment, with a significantly higher proportion of employees working from home, either full- or part-time. The same policy is evident amongst local and central government, where working from home has become the norm, rather than the exception.

The sensitive nature of day-to-day data exchanges between central office locations and remote or mobile workers places an emphasis on the security of the devices and platforms used. Email is not a suitable medium for the exchange of sensitive or personally identifiable information, or the distribution of confidential attachments, the litany of email-related data breaches over the past 30 years is testament to that.

Since the introduction of public cloud-based file sharing systems in the late 2000’s, the popularity of solutions such as Box, Dropbox, OneDrive, and Google Drive have been on the rise. Combining ease of use with ubiquitous access, they have established positions within the consumer and commercial marketplace, along with many others.

The challenge for businesses and government agencies alike is that none of these are built from “secure by design” principles. They prioritize accessibility over security. The nature of the data being exchanged should determine the security of the system in place. In the same way that email is not suitable for the exchange of sensitive information, neither is an insecure file sharing platform.

 

What does secure file sharing and storage look like?

What makes a secure file sharing and storage solution? It needs to be secure by design, but security shouldn’t come at the cost of convenience. It should be packed with enhanced security features, including standards-based encryption, file fragmentation, zero-trust key management and, for those with data sovereignty requirements, 100% control over where your data is held.

For organisations that take cybersecurity seriously, it should address 5 key file sharing and storage challenges:

  1. You are sharing personally identifiable, confidential, or high-value information that, should a breach occur, could result in financial penalties, loss of revenue or reputation.
  2. Industry regulations, or internal IT policies prevent you from using public file sharing and storage applications as they do not meet best-practice security standards.
  3. You believe security should come first and are building a zero-trust environment where best-in class security solutions protect both your data and infrastructure.
  4. Your hybrid workforce is geographically distributed, and you need to enable secure file sharing across public infrastructure and on a variety of user-owned devices.
  5. Data protection mandates dictate where your information is stored, so you need a solution that provides 100% control over file location to ensure data sovereignty.

SureDrop by Senetas is built from security-first principles, by a cybersecurity firm. It offers users the ability to collaborate with confidence.

Useful links:

Stay up to date with the latest cybersecurity news from Senetas. Subscribe to "The View"

Go back
Senetas Logo
Senetas Logo