A year ago, the World Economic Forum reported that 93% of “cyber leaders” are expected to be impacted by a catastrophic cybersecurity event in the next 2 years. As it turned out, they didn’t have long to wait.
Initially reported in May of this year, an unpatched vulnerability in the “secure” cloud file transfer tool MOVEit used by thousands of organizations worldwide shocked the world as enormous amounts of confidential details belonging to hundreds of millions of people and companies were used as bait and blackmail to extort victims.
The cybercrime gang behind the attacks has previously been associated with other large scale attacks. Namely those on accellion, solarwinds and fortra platforms, where they demonstrated the capability to handle and exploit massive amounts of stolen data.
As is now common practice, the group uses a Darkweb “PR” site (which I do not recommend you visit) to publicly shame organizations in order to intimidate and extort ransom payments. By some accounts, the loss amounts could top $65,000,000,000 (that’s Billion, with a B) as more than 2600 companies have reported breaches related to the initial cyberincident
What’s more, those companies are estimated to have exchanged sensitive data with a whopping 73000 others, making this breach a pivotal event of historic proportions that is expected to take years to fully unravel.
Today, as another large Canadian company reports falling victim to the MOVEit breach through its own supplychain, we are reminded of the critical importance of securing the entire business ecosystem. This is extremely difficult when it comes to cloud vendors whose practices are often opaque to clients, but it’s not an impossible task given a mature vendor risk management process and the discipline to enforce baseline standards for verifiable data protection.
All that to say: be ready to walk away if your cloud vendor fails to deliver adequate transparency.
If a positive conclusion can be drawn from this maelstrom of bad news, it is that #2024 will have little choice but to bring timely improvements in the way third-party service provider practices are scrutinized for security, compliance and privacy.