“Hacker” stock photos are the worst. Is he hacking from the back room of a vape shop?
We saw this story on Cybernews, shout-out to them for staying on top of the MOVEit data breach. TL;DR: File transfer program MOVEit was compromised earlier this year by the Cl0p ransomware group, Cl0p threatened to release the data they have if affected entities didn’t pay a ransom, EY didn’t so the data is trickling out. The group named EY and PwC as victims early on, they later announced Deloitte had been breached as well. And they got Crowe, too.
Yesterday EY filed a data breach notification with the Maine attorney general that says 30,210 Bank of America customers may have (probably) had their personal information — including debit or credit card numbers and government ID numbers — acquired in the MOVEit breach. BofA is offering 24 months of Experian credit monitoring and identity theft resolution as a result, detailed in this letter EY is sending out to affected BofA customers:
The United States firm of Ernst & Young LLP (“EY,” “we” and “us”) is writing to notify you of an issue that involves your personal data. EY provides consulting, advisory, and tax services to Bank of America. As part of those services, we receive and handle information that may include personal data in certain instances.
WHAT HAPPENED
On May 31, 2023, we were informed by our third-party supplier, Progress Software Corporation, of a security vulnerability involving the supplier’s MOVEit Transfer solution. MOVEit Transfer is a file transfer tool used by many organizations, including us, to support the transfer of data files. Upon becoming aware of the issue, we promptly launched an investigation and took steps to secure our systems. We have also been working with third-party security experts to investigate the scope of the issue and advise on our response. Bank of America has informed us that its systems and servers were not impacted by this event.WHAT INFORMATION WAS INVOLVED
Certain files within the third-party software solution have been compromised through this security vulnerability. These files may contain your personal data. The personal data in the relevant files may have included your first name or first initial and last name, address, financial account information, debit or credit card numbers, social security number, and/or other unique government-issued identification numbers.WHAT WE ARE DOING
EY is informing you about the issue so you can take steps to protect your personal data from identity theft, phishing and other potential misuse. As an additional measure of protection, we are notifying you that Bank of America will be making available a complimentary two-year membership in an identity theft protection service provided by Experian IdentityWorks. You will not be billed for this service. [snip, more on how consumers can use this service blah blah]WHAT YOU CAN DO
Over the next 12 to 24 months, we recommend you remain alert for any unsolicited communications regarding your personal data and review your account statements and credit reports for suspicious activity. You should promptly notify your financial institution of any unauthorized transactions or suspected identity theft. We also recommend that you enroll in the complimentary Credit Monitoring Service offered by Bank of America. Finally, please review the “Additional Resources” section included with this letter below. This section describes additional steps you can take to help protect your information, including recommendations by the Federal Trade Commission regarding identity theft protection and details on how to place a fraud alert or a security freeze on your credit file.MORE INFORMATION
Should you have any questions regarding this incident, please contact Bank of America at [censored] Monday – Friday between 8am – 11pm ET and Saturday 8am – 8pm ET who can assist you during this process.We regret any inconvenience this issue may cause you.
Ernst & Young LLP
According to Cybernews, more than 40 million people and 620 organizations have been confirmed to be impacted by Cl0p’s MOVEit Transfer attacks. And:
Cl0p claims that it has access to a staggering three terabytes of EY‘s data, stolen during the attack. The cybercrooks say they have data ranging from financial reports to passport scans. If the volume of stolen data is confirmed, additional exposed EY customers may surface.
Said Cyjax chief information security officer Ian Thornton-Trump to Information Security Media Group in July, “There is no doubt in my mind that sensitive data exists within this data set, and companies need to be actively monitoring the data breach/ransomware ecosystem to determine the organization’s potential exposure directly or indirectly through a supply chain partner compromise.”
Full notice to the Maine AG below:
2023-08-09 EY US Notice to … by Adrienne Gonzalez
Earlier:
EY and PwC Among the Many Entities Caught Up in the MOVEit Cybersecurity Breach Ransom
“EY US takes this event seriously, and remains committed to protecting individuals’ personal information and assisting those who may have been affected by this incident.”
But not committed enough to just pay the ransom and make the whole thing go away apparently.
EY’s 2020 guide “Ransomware: to pay or not to pay?” basically advises against doing that because it’s no guarantee it’ll actually make the problem go away.
https://izoologic.com/2023/08/10/august-15-d-day-for-all-cl0p-ransomware-victims/
All done in prep for Aug 15th?
Why did EY have all of this personal data from BofA customers?