Stolen data include workers' names, email addresses, entire organizational structures, says report
Canada Post, Amazon and McDonald’s are among the possibly more than 1,000 companies that have fallen victims of an exploited critical vulnerability in MOVEit – exposing sensitive information of thousands of workers, according to a report.
The vulnerability – known as CVE-2023–34362 – has led to one of the most substantial leaks of corporate information last year, affecting various sectors, including finance, healthcare, technology, and retail, according to an ‘InfoStealers’ report by cybercrime firm Hudson Rock.
“The stolen data, which dates back to May 2023, includes employee directories from 25 major organizations,” said Alon Gal, co-founder & CTO at Hudson Rock, in the report.
“The directories contain detailed employee information, including names, email addresses, phone numbers, cost center codes, and, in some cases, entire organizational structures. Such data could serve as a goldmine for cybercriminals seeking to engage in phishing, identity theft, or even social engineering attacks on a large scale.”
Source: InfoStealers
The data was released by a person operating under the username Nam3L3ss, according to the report.
“Hudson Rock researchers were able to verify the authenticity of the data by cross-referencing emails from the leaks to Linkedin profiles of employees, and to emails found in Infostealer infections where employees in the affected companies were involved,” Gal said.
The hacker, Nam3L3ss, posted these files on a prominent cybercrime forum, each thread showing a trove of sensitive information. And the person warned companies and individuals to “pay attention” to the magnitude of these leaks, noting that they intend to share more stolen information.
In mid-2023, at least 100,000 workers in Nova Scotia were impacted by cybertheft by cybercriminals who exploited a weakness in the MOVEit managed file transfer software, according to a report.
Sony also previously fell victim to a data breach.
How can an organization prevent a data breach?
“To maximize your chances of mitigating data breaches, there should be a greater emphasis on security controls preventing network penetration,” said Edward Kost, cybersecurity writer at UpGuard.
To protect themselves from data breaches, employers should focus on the following areas:
- Security Awareness Training - addresses internal attack vectors
- Internal Vulnerability Detection - addresses internal attack vectors
- Data Leak Management - addresses internal and third-party attack vectors
- Vendor Risk Management - addresses third-party attack vectors
Cyber threats have once again topped the list of concerns for Canadian businesses, according to a recent survey.