The Information Highway

The Information Highway

Font size: +
3 minutes reading time (564 words)

Ransomware gang files SEC complaint over victim’s undisclosed breach

The ALPHV/BlackCat ransomware operation has taken extortion to a new level by filing a U.S. Securities and Exchange Commission complaint against one of their alleged victims for not complying with the four-day rule to disclose a cyberattack. 

Earlier today, the threat actor listed the software company MeridianLink on their data leak with a threat that they would leak allegedly stolen data unless a ransom is paid in 24 hours.

MeridianLink is a publicly traded company that provides digital solutions for financial organizations such as banks, credit unions, and mortgage lenders.

Hackers snitch to the SEC

According to DataBreaches.net, the ALPHV ransomware gang said they breached MeridianLink's network on November 7 and stole company data without encrypting systems.

The ransomware actor said that "it appears MeridianLink reached out, but we are yet to receive a message on their end" to negotiate a payment in exchange for not leaking the supposedly stolen data.

The alleged lack of response from the company likely prompted the hackers to exert more pressure by sending a complaint to the U.S. Securities and Exchange Commission (SEC) about MeridianLink not disclosing a cybersecurity incident that impacted "customer data and operational information."

ALPHV ransomware irritated by MeridianLink's silence
source: BleepingComputer

To show that their complaint is real, ALPHV published on their site a screenshot of the form they filled out on SEC's Tips, Complaints, and Referrals page.

In their own words, the attacker told the SEC that MeridianLink suffered a "significant breach" and did not disclose it as required in Form 8-K, under Item 1.05. 

ALPHV ransomware SEC complaint against MeridianLInk
source: BleepingComputer

Following a barrage of security incidents at U.S. organizations, the SEC adopted new rules that require publicly traded companies to report cyberattacks that have a material impact, i.e. influence investment decisions.

Cybersecurity incident reporting is "due four business days after a registrant determines that a cybersecurity incident is material," the new rule states.

However, the SEC's new cybersecurity rules are set to take effect on December 15, 2023, Reuters explained at the beginning of October.

ALPHV also provided on their site the reply they received from the SEC to the complaint against MeridianLink, to show that the submission was received.

Automated reply from SEC to ALPHV complaint against MeridianLInk
source: BleepingComputer

MeridianLink confirms cyberattack

In a statement, MeridianLink said that after identifying the incident it acted immediately to contain the threat and engaged a team of third-party experts to investigate.

The company added that it is still working to determine if any consumer personal information was impacted by the cyberattack and it will notify affected parties if so. 

"Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption." 

by MeridianLink

While many ransomware and extortion gangs have threatened to report breaches and data theft to the SEC, this may be the first public confirmation that they have done so.

Previously, ransomware actors exerted pressure on victims by contacting customers to let them know of the intrusion. Sometimes, they would also try to intimidate the victim by contacting them directly over the phone.

Fortinet warns of critical command injection bug i...
Toronto Public Library confirms data stolen in ran...

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Thursday, 14 November 2024

Captcha Image

Top Breaches Of 2023

Customers Affected In T-Mobile Breach
Accounts Affected In MOVEit Breach
Customers Affected In MCNA Insurance Data Breach
Individuals Affected In PharMerica Data Breach
Users Affected In ChatGPT Major Data Breach
*Founder Shield End of Year 2023