The list of victims affected by the MOVEit hack continues to expand, with several organizations recently announcing that their sensitive data was exposed in MOVEit-related breaches. According to reports from TechCrunch, over 200 organizations have been impacted by the mass-hack of MOVEit’s popular file transfer application. Brett Callow, a threat analyst from Emsisoft, stated that this exploitation of the MOVEit bug has resulted in 33 breach disclosures and the compromise of data belonging to more than 17.5 million individuals.
One of the companies affected by the MOVEit breach is Shell, a multinational oil and gas giant. Shell confirmed that the exploitation of the MOVEit tool led to the exposure of personal information related to employees. It was reported that Shell had been using the tool, albeit by a small number of employees and customers. The ransomware group responsible for the hacks, Cl0p, claimed to have released the stolen data from Shell when the company refused to meet their ransom demands. However, the links to this data seem to be broken at the moment. Another victim of the MOVEit breach is First Merchants Bank, a US financial holding company. They disclosed that the breach compromised sensitive customer data, including addresses, Social Security numbers, usernames, payee information, and financial account information.
Aside from companies, several US learning institutions also fell victim to the MOVEit hacks. The National Student Clearinghouse and the Teachers Insurance and Annuity Association of America have reported being impacted. Callow believes that a majority of schools in the US may have also been affected by these hacks.
Moving on to another news item, Nickelodeon has confirmed that leaked data from June does indeed belong to the US family television network. However, it seems that at least a portion of the data is decades old. Rumors of a data breach targeting Nickelodeon surfaced in January, and last month, images of the allegedly stolen data began circulating on social media. While Nickelodeon has not provided specific details about the leaked content, a spokesperson has stated that it appears to be related to production files and not long-form content or employee/user data. The spokesperson also noted that some of the leaked data appears to be from decades ago. The exact age of the leaked information is uncertain, but it raises the question of whether it is “Blue’s Clues” old or “Double Dare” old.
Lastly, JDSupra has offered a primer for nonprofit organizations on various privacy laws and protections around the world. In recent years, governments globally have enacted a range of privacy rules. In the United States, a complex regulatory framework exists, with federal and state laws and sector-specific regulations such as the Health Insurance Portability and Accountability Act and the Gramm–Leach–Bliley Act. Several states have implemented their own privacy laws, and more are expected to follow suit next year. At the federal level, Congress is considering measures such as the Information Transparency and Personal Data Control Act and the SAFE DATA Act.
In the European Union, the General Data Protection Regulation (GDPR) provides a comprehensive framework, and even though the UK is no longer an EU member state, it largely adheres to GDPR regulations. China has also enacted several measures related to cybersecurity and data privacy, including the China Cybersecurity Law, Data Security Law, and Personal Information Protection Law (PIPL). Any foreign organization with a presence in China must comply with PIPL, and it also applies to most organizations that collect personal data on Chinese citizens, regardless of whether they have an established presence in the country.
These developments in privacy protections highlight the increasing importance for organizations, including nonprofits, to navigate the evolving landscape of privacy laws around the world.