Safeguard.sh
Incident Response

MOVEit Breach Impact Assessment: The Cl0p Campaign's Fallout

The MOVEit breach became one of the largest data theft incidents in history. Here's an assessment of the damage and what organizations should learn.

Alex
Security Analyst
7 min read

By mid-June 2023, the scope of the Cl0p MOVEit campaign was becoming staggeringly clear. What started as a single zero-day exploitation had cascaded into one of the largest data theft incidents in history. This wasn't just a breach of MOVEit users — it was a breach of their customers, partners, and anyone whose data flowed through those MOVEit Transfer instances.

The Numbers

As of June 2023 (with the count still growing):

  • 2,500+ organizations directly or indirectly affected
  • 65+ million individuals had personal data exposed
  • $10+ billion in estimated damages across all victims
  • Organizations in 30+ countries were impacted
  • Every major sector was hit: government, healthcare, finance, education, energy, retail

These numbers continued to grow throughout the summer of 2023 as more organizations disclosed their exposure.

The Cascade Effect

What made the MOVEit breach so devastating wasn't just the number of organizations running MOVEit Transfer. It was the cascade effect through vendor and partner relationships.

Direct Victims

Organizations that ran MOVEit Transfer and were directly compromised. These organizations had the Cl0p web shell on their servers, and their stored files were exfiltrated. Examples included US federal agencies, UK telecom providers, and major financial institutions.

Indirect Victims (First Order)

Organizations that didn't run MOVEit Transfer themselves but had shared data with a direct victim through the platform. For example, a company that used a payroll processor running MOVEit Transfer had its employee data exposed through the processor's breach.

Indirect Victims (Second Order)

Organizations whose data was exposed because their vendor's vendor used MOVEit. The cascade extended multiple levels deep. A small business might have its employee health insurance data exposed because:

  1. The business used a benefits administrator
  2. The benefits administrator used a health insurance company
  3. The health insurance company used MOVEit Transfer to exchange files with partners

The small business had no direct relationship with MOVEit and no way to know their data was at risk.

Sector-by-Sector Impact

Government

Multiple US federal agencies confirmed data exposure:

  • Department of Energy: Employee data compromised through a contractor
  • Office of Personnel Management: Data exposed through a benefits administrator
  • Several state governments disclosed breaches affecting residents' data

The government impact was particularly notable because many agencies had no direct MOVEit relationship — their data was exposed through cascading vendor relationships.

Healthcare

Healthcare organizations were heavily affected because the industry relies heavily on managed file transfer for:

  • Health insurance claims processing
  • Patient data transfers between providers
  • Regulatory reporting

The breach exposed protected health information (PHI) for millions of patients, triggering HIPAA notification requirements across hundreds of covered entities.

Financial Services

Banks, insurance companies, and investment firms were affected. The financial sector uses MFT for:

  • Interbank data transfers
  • Regulatory filings
  • Customer document management

Financial data, including account information and personal financial records, was among the exposed data.

Education

Universities and school districts were affected both directly and through service providers. Student records, employee information, and financial aid data were exposed at dozens of institutions.

Cl0p's Extortion Model

Cl0p's approach to the MOVEit campaign was different from their typical ransomware operations:

No Encryption

Unlike traditional ransomware attacks, Cl0p didn't encrypt any systems. The campaign was purely data theft and extortion. This was a strategic choice — it reduced the operational complexity and the likelihood of detection during the exploitation phase.

Mass Exploitation, Individual Extortion

Cl0p compromised as many MOVEit instances as possible during the initial exploitation window, then spent weeks sorting through the stolen data to identify victims and assess the value of the data.

The Leak Site

Cl0p used their Tor-based leak site to:

  1. List victim organizations
  2. Give deadlines for contact and payment
  3. Begin publishing stolen data if no payment was received

Differentiated Messaging

Cl0p sent different messages to different types of victims. Government agencies received a message saying their data would be deleted (likely an attempt to avoid the attention that comes with attacking government entities). Private companies were told to pay or face publication.

Response Challenges

Organizations faced several challenges in responding to the breach:

Identification

Many organizations didn't know they were affected. The cascade through vendor relationships meant that data could be exposed without the data owner having any direct connection to MOVEit.

Scope Assessment

Even organizations that knew they ran MOVEit had difficulty determining what data was actually exfiltrated. MOVEit logs showed what files were accessed, but mapping files to data categories and affected individuals required significant manual effort.

Notification

With millions of individuals affected, the notification burden was enormous. Organizations needed to:

  • Determine which individuals were affected
  • Prepare notification letters
  • Set up credit monitoring services
  • Staff call centers for inquiries
  • File notifications with state regulators (requirements vary by jurisdiction)

Legal Complexity

Multiple class-action lawsuits were filed within weeks of the breach disclosure. Organizations needed legal counsel to navigate notification requirements, litigation risk, and regulatory inquiries.

The Third-Party Risk Management Problem

The MOVEit breach exposed a fundamental weakness in how organizations manage third-party risk:

Limited visibility into vendor stacks: Most organizations assess their direct vendors but have little visibility into what software those vendors use.

Questionnaire-based assessments don't work: Annual security questionnaires don't capture whether a vendor is running a specific file transfer tool with a specific vulnerability.

Concentration risk is invisible: Without tools to track software usage across your vendor ecosystem, you can't identify when many of your vendors depend on the same vulnerable product.

Lessons Learned

Map Your Data Flows

Know where your data goes, including transfers to and between vendors. If you can't map your data flows, you can't assess your exposure when a vendor is breached.

Require Vendor SBOMs

If your vendor provides an SBOM of their infrastructure, you can identify concentration risks and assess your exposure when vulnerabilities are disclosed.

Plan for Cascade Breaches

Your incident response plan should include scenarios where a vendor — or a vendor's vendor — is breached. These scenarios are harder to respond to because you have less visibility and less control.

Minimize Data Sharing

Only share the minimum data necessary with vendors. Data that isn't shared can't be exposed through a vendor breach.

How Safeguard.sh Helps

Safeguard.sh directly addresses the lessons from the MOVEit campaign:

  • Supply Chain Mapping: Safeguard.sh helps you map your software supply chain, including vendor dependencies, so you can quickly assess exposure when a product like MOVEit is compromised.
  • Vulnerability Intelligence: Safeguard.sh monitors vulnerability disclosures across your entire supply chain and immediately alerts you when critical CVEs affect products you or your vendors use.
  • SBOM Management: Safeguard.sh generates, stores, and analyzes SBOMs, giving you the inventory needed to quickly answer "are we affected?" when the next major vulnerability is disclosed.
  • Third-Party Risk Visibility: Safeguard.sh provides visibility into the software composition of your vendor ecosystem, helping you identify concentration risks before they become breaches.

The MOVEit breach will be studied for years as an example of how a single vulnerability in a single product can cascade through the global economy. The lesson is clear: supply chain visibility isn't optional, and it needs to extend beyond your own infrastructure into your vendor ecosystem.

MOVEitCl0pData Breach
Back to all articles

More on #MOVEit

View all →
Ransomware

Clop Ransomware and the MOVEit Campaign: Mass Exploitation at Scale

7 min read
Vulnerability Analysis

Progress MOVEit: Second Critical Vulnerability Discovered Amid Breach Fallout

6 min read
Vulnerability Analysis

MOVEit Transfer CVE-2023-34362: The Zero-Day That Hit Thousands

6 min read

Related articles in Incident Response

Incident Response

MongoDB Atlas Breach: Customer Metadata Exposed in Corporate Systems Attack

MongoDB disclosed unauthorized access to its corporate systems in December 2023, exposing customer metadata and contact information while Atlas cluster data remained secure.

November 15, 2023Read
Incident Response

Okta's Support System Breach: Identity Provider Under Fire Again

Okta disclosed that attackers used stolen credentials to access its customer support system, downloading HAR files containing session tokens for multiple customers.

October 20, 2023Read
Incident Response

Incident Response Tabletop Exercises: A Practical Guide for Supply Chain Scenarios

Your incident response plan is untested until people have walked through it under pressure. Here is how to design and run tabletop exercises that actually prepare your team for supply chain compromises.

October 12, 2023Read

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.