It also added that the security breach at the vendor was limited to work-related contact details, like employee work emails, desk phone numbers, and building locations, and no sensitive information, like Social Security numbers or financial data, was compromised.
The firm also reported that the threat actor claimed to have leaked only less than .001% of the total stolen data, promising more releases in the future.
The cybersecurity firm says the stolen information dates back to May 2023, when a zero-day critical vulnerability in MOVEIt, a popular file transfer platform used by many companies, was exploited.
This flaw allowed an unauthenticated attacker to bypass authentication protocols through an SQL injection, potentially granting unauthorized access to the MOVEit Transfer database and gaining access to sensitive data.
The notorious Clop ransomware and extortion gang were claimed to be behind the MOVEit breach, which was the biggest hack of 2023.
For example, the Oregon Department of Transportation in the U.S. had 3.5 million records stolen.
In contrast, the Colorado Department of Health Care Policy and Financing and a U.S. government contractor, Maximus, had 4 million and 11 million records stolen, respectively.
