Quick show of hands: whose data hasn't been stolen in the mass exploitation of Progress Software's vulnerable MOVEit file transfer application? Anyone? According to security shop Emsisoft, 2,620 organizations and more than 77 million individuals have been impacted to date, with millions in the past week alone have received notifications that their info was either accessed, leaked, or both after the Russian ransomware gang Clop exploited a security hole in MOVEit back in May to steal files from compromised instances. Embarrassingly antivirus biz Avast is among these new-ish victims, which recently disclosed the crooks accessed some "Low-risk customer personal information." According to the UK's Times, the information posted "Is primarily limited to name and/or contact information, as well as information on the product you purchased from us. No banking details, credit card numbers or high-risk data such as login information or account details were taken." We use MOVEit for internal file transfers and immediately remediated all known vulnerabilities when this incident was discovered in June. While there was no impact to our core IT systems or services, during continued due diligence, we found some of our Avast customers' personal information, such as name, email address and phone number, was impacted. While this information is not considered high risk, we take the safety of our customers extremely seriously and want to ensure they are prepared to be vigilant against any potential phishing threats using this information. We have notified customers and offered dark web monitoring free of charge for six months. Not one to let an opportunity to up-sell slip by, the org recommended that affected customers also pay for an enhanced security service. In more MOVEit news, Welltok, which provides patient communication services for healthcare providers across the US, has been busy notifying patients that their supposedly private healthcare data really isn't. The Virgin Pulse-owned company has sent notification letters to more than 1.6 million patients alerting them that their names, addresses, dates of birth, and health information may have been stolen by miscreants abusing MOVEit, according to a November 18 filing with the Maine Attorney General's office. In a letter sent to those affected patients, Welltok says it first learned that its MOVEit instance had been compromised back in July, after it had "Previously installed all published patches and security upgrades immediately upon such patches being made available by Progress Software." [PDF]. By August, it determined criminals had managed to "Exfiltrate certain data," and in October Welltok began notifying Sutter Health patients that their personal information may have been accessed. Sutter provides health care to more than three million people in northern California. Welltok also provides patient data communications for Michigan's Corewell Health as well as its Priority Health lifestyle portal, and a ton of those patients also were hit by the MOVEit breach. Last week, Welltok said about one million Corewell Health patients and 2,500 Priority Health members were impacted. For Priority Health members stolen data included name, address and health insurance identification number. Corewell Health patients' may have had their names, dates of birth, email addresses, phone numbers, diagnosis, health insurance information and Social Security numbers exposed. Welltok notified 89,556 patients of St. Bernards Healthcare that their data may have been compromised in the MOVEit fiasco. "The information accessed by the unknown actor may have included, depending on the individual, their name, address, date of birth, social security number, email address, phone number, patient identification number, health insurance information, provider's name, and medical treatment or diagnosis information," according to the Arkansas-based health care provider.
This Cyber News was published on www.theregister.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000