MOVEit Exploit Fallout: Massive Data Leak from Amazon, McDonald’s and 1000+ Companies

An individual using the alias Nam3L3ss has exposed significant corporate employee data related to a critical vulnerability in MOVEit, a widely used file transfer software.  

‍

Known as CVE-2023–34362, this vulnerability allowed attackers to bypass security protocols, leading to substantial data leaks across multiple industries, including finance, healthcare, technology, and retail.  

‍

This breach has affected a variety of major global companies, underscoring the serious consequences of unpatched software vulnerabilities.

‍

The leaked data, dating back to May 2023, includes employee directories from 25 large organizations. Each directory contains detailed information, such as employee names, emails, phone numbers, department codes, and in some cases, comprehensive organizational structures.  

‍

This level of detail raises concerns about potential misuse in phishing, identity theft, and social engineering. Notable impacted companies include Amazon (2.8 million records), MetLife (585,000 records), and HSBC (280,000 records), among others, revealing the scope of compromised employee information.

‍

In addition to contact information, the data includes structured details like cost center and department assignments, which could aid attackers in identifying internal hierarchies and targeting specific employees.  

‍

For instance, HSBC’s dataset outlines global operations by city and branch, while Amazon’s data reveals employee roles, cost center codes, and organizational divisions, InfoStealers reports.

‍

Researchers verified the leak’s authenticity by matching email addresses with LinkedIn profiles and Infostealer records, underscoring the credibility of the exposed data. Nam3L3ss publicized the breach on a cybercrime forum, emphasizing the critical nature of these directories and warning companies of their vulnerabilities.  

‍

Although the CL0P ransomware group has previously exploited MOVEit, it’s uncertain whether they, their affiliates, or Nam3L3ss alone conducted this attack.  

‍

Researchers anticipate further disclosures from Nam3L3ss, suggesting that this may be only a portion of the data obtained in the breach.

‍

Takeaway: If this leak is indeed related to data exfiltrated during the large-scale MOVEit exploit campaign, it highlights how attackers might find it easier to extract data from vulnerable organizations than to effectively monetize the breach through traditional ransomware.  

‍

After the initial wave of MOVEit attacks, many linked to Cl0p, reports suggest that activity from the group dwindled, hinting at the relative ease in automating some vulnerability exploitation attacks, as well as the challenges in converting these attacks into revenue.

‍

Interestingly, Nam3L3ss may view the public release of this data as a “service” by exposing what was stolen and allowing victim organizations to assess the impact. However, the broader availability of this data presents serious security risks, as malicious actors now have access to information that could be used in targeted attacks.  

‍

This situation is particularly concerning for organizations that were unaware of their exposure or had yet to report the breach, especially if regulated data was among the leaked information.

‍

For publicly traded companies impacted, the leak could trigger regulatory scrutiny, especially if there were delays in disclosing the breach to investors and regulators.  

‍

The legal consequences tied to data breaches have surged in recent years, with lawsuits increasing against companies impacted by ransomware or data exfiltration, putting executives and board members under significant pressure. Even organizations with strong cybersecurity measures face increased liability once sensitive data is exposed.

‍

The modern threat landscape means ransomware attacks are no longer just about payload delivery but about data exfiltration and extortion, which can incur hefty regulatory fines, lawsuits, and reputational harm.  

‍

New regulatory requirements, such as the SEC’s recent mandate for prompt disclosure of material security events, further complicate response strategies, as companies must quickly balance transparency with the thoroughness of their investigations.

‍

In this environment, executives and security leaders face heightened accountability. However, the stringent regulatory response may risk deterring open communication about breaches, potentially undermining security operations.  

‍

Organizations, especially those handling sensitive data, must strengthen both their cybersecurity practices and their strategies for navigating an increasingly complex regulatory landscape to avoid being doubly victimized—first by attackers, and then by the regulatory and legal aftermath.

‍

‍

Halcyon.ai eliminates the business impact of ransomware, drastically reduces downtime, prevents data exfiltration, and enables organizations to quickly and easily recover from attacks without paying ransoms or relying on backups – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.