Michigan State University (MSU) has been impacted by a breach of two third-party vendors, potentially exposing the personal data of MSU community members. The breach occurred through MOVEit, a cloud-based software platform that is widely used for data file transfer services by various organizations. The affected vendors in this breach were the National Student Clearinghouse (NSC) and the Teachers Insurance and Annuity Association of America (TIAA). Although the exact number of impacted individuals is not yet clear, both vendors have committed to providing MSU with a list of compromised individuals.
MSU has confirmed that there was no breach to its own networks or systems. However, the compromise of a third-party organization is still concerning for the university, leading them to take proactive steps in notifying the community and providing guidance on protecting personal information. Melissa Woo, the Vice President and Chief Information Officer of MSU, emphasized the importance of being vigilant against phishing emails, strengthening passwords, and using multi-factor authentication whenever possible.
In a separate incident, American law firm Quinn Emanuel Urquhart & Sullivan disclosed a possible compromise of client data. The breach occurred in May of the previous year through an electronic discovery vendor used by the firm for document management. While the name of the vendor has not been revealed, Quinn Emanuel stated that the incident was limited to a small portion of their clients and matters. The firm, specializing in business litigation and based in California, has already notified the affected individuals, which is fewer than two thousand.
This breach adds to a series of third-party attacks targeting law firms, with Jones Day and Goodwin Procter among the firms impacted in the 2021 breach of file transfer vendor Accellion. The attractiveness of law firms as targets for threat actors is due to the sensitive and confidential data they handle in their legal services.
In another development, the ransomware group known as Cl0p has changed its tactics by posting stolen data on the clear web instead of relying solely on the dark web. According to experts, this approach is faster and more accessible, but it also exposes the group to potential takedowns and legal actions. Chris Morgan, a Senior Cyber Threat Intelligence Analyst at ReliaQuest, believes that this strategy increases both the pressure on the victims and the risk for Cl0p, as more eyes are now on the stolen data. However, it also makes it easier for the targeted companies to request the removal of the posted data. This tactic was previously used by the Alphv ransomware group in June 2022, although its impact on ransom payments remains unclear.
Furthermore, Cl0p has taken an unconventional approach to communicating with victims. Following the exploitation of the MOVEit zero-day vulnerability, the group has requested that victims reach out to them if they have been breached. This places the burden on the victims to determine whether they have been impacted and potentially engage in negotiations with the ransomware group. The latest move by Cl0p to post victims’ data on the clear web may be an escalation of this tactic to pressure companies that have resisted paying the ransom.
Overall, these incidents highlight the continued challenges faced by organizations regarding the security of their data, especially when relying on third-party vendors. It underscores the need for robust cybersecurity measures, including secure file transfer protocols, regular assessments of vendors’ security practices, and ongoing employee training to prevent and respond to potential breaches.