15 banks, credit unions confirm MoveIt data breaches

As banks and credit unions complete their investigations of data breaches caused by a software vulnerability in file transfer software MoveIt, 15 have reported that their customers’ personal information, such as names, Social Security numbers, addresses, and phone numbers, was involved.

Ransomware group Cl0p, which many security analysts characterize as an opportunistic threat actor seeking to profit from cybersecurity vulnerabilities, exploited a zero-day vulnerability in Progress Software’s file transfer software starting around May 27 to steal information from, according to some counts as of Monday, more than 200 companies around the world.

At least three banks and credit unions specified that Cl0p stole customer data not because the institution itself used MoveIt but because a third-party vendor used MoveIt.

For example, in a letter to 25,660 consumers affected by a breach, Clearwater Credit Union in Missoula, Montana cited the MoveIt vulnerability as a cause of a breach at the credit union, but a spokeswoman for Clearwater said it “does not contract with or use MoveIt.”

Instead, one of the credit union’s third-party vendors (the Clearwater spokeswoman did not specify which) notified the credit union that it had been affected by a vulnerability in the file transfer software and, as a result of the incident, discontinued use of the MoveIt service.

“We received the documents acquired by the third party and determined that the documents contained personal information that included your name, Social Security number (last four digits), account number, email address, and phone number,” Clearwater told customers in the June 30 letter. “This incident did not involve unauthorized access to any Clearwater systems.”

Among the largest victims that threat actor Cl0p identified in the MoveIt breaches was Fidelity National Information Services, also known as FIS.

“FIS was one of many organizations impacted by a cybersecurity incident experienced by Progress Software and their MoveIt Transfer product,” a spokesman for FIS said. “While the incident impacted a limited number of our clients, we are communicating with clients whose information was potentially involved. We are in regular contact with Progress Software and monitoring the situation closely. We will continue to take appropriate actions to protect our clients.”

The FIS spokesman did not specify the number of clients affected, nor the total number of customers at those institutions who had their data compromised by the breach.

Another service provider, CU*Answers, said last month that it was affected by the MoveIt vulnerability and had contacted credit unions who partnered with it if they were affected by the breach.

“Our review indicates that a small number of credit unions were affected by this vulnerability,” reads a statement CU*Answers posted to its website. “We have reached out to these credit unions directly. Unless we spoke with your credit union CEO directly, your credit union was unaffected by this vulnerability.”

Banks that do not directly use MoveIt also had their customers’ data compromised in the attack. For example, a spokesperson for PlainsCapital Bank in Dallas, Texas said that, on June 27, “a leading financial technology service provider used by PlainsCapital Bank confirmed its exposure to the global cyberattack against MoveIt.” 

The PlainsCapital spokeswoman did not name the fintech service provider.

Other confirmed victims

First Commonwealth Bank in Indiana, Pennsylvania said in an SEC filing on July 6 that the bank “has received written notice from a third party prominent financial institution vendor that data specific to certain of its customers was likely obtained in a security incident” involving MoveIt. The bank did not respond to a request for comment.

Sunflower Bank, which is headquartered in Denver, said in a post on its website that it was impacted by the MoveIt vulnerability. A spokeswoman for Sunflower said bank employees are “working to identify any affected data files and are in the process of directly notifying any potentially impacted parties.”

1st Source Bank in South Bend, Indiana told 450,000 customers that their data, including Social Security numbers, were affected in the breach, according to a filing with the Maine Attorney General.

Sound Community Bank in Seattle, Washington said in a notice on its website that its customers had been affected by the breach. The bank said in an SEC filing that approximately 16,000 customers were affected.

City National Bank of Florida in Miami notified 36,306 customers that their information, including Social Security numbers, had been compromised, according to a filing with the Maine Attorney General.

First Merchants Bank in Muncie, Indiana said in a post to its website that the information of affected customers varied but could include names, addresses, dates of birth, Social Security numbers, and financial account information. “Online or mobile banking passwords were not captured or compromised and remain unaffected by this incident,” the statement reads.

Rockland Trust Bank told 14,806 customers that information compromised in a breach affecting the bank included financial account numbers or card numbers, according to a filing with the Maine Attorney General. A spokeswoman for the bank said one of the bank’s third-party bill pay providers “informed us that they were one of the organizations impacted.” The spokeswoman did not specify the bill pay provider.

Umpqua Bank said in a post on its website that it found evidence of “unauthorized access to the names and Social Security numbers or tax identification numbers of a segment of our consumer and small business customers,” but did not specify how many customers were affected.

Union Bank and Trust in Lincoln, Nebraska told 204,291 customers that information including their Social Security numbers had been compromised in a breach, according to a filing with the Maine Attorney General. The bank did not respond to a request for comment.

United Bank in Fairfax, Virginia told customers that their names and account numbers had been compromised in the breach. A spokeswoman for United Bank said the bank’s core systems “were not affected.” The spokeswoman did not specify how many customers’ data had been compromised.

Franklin Mint Federal Credit Union in Chadds Ford, Pennsylvania told 140,963 consumers that their Social Security numbers had been compromised in a breach, according to a filing with the Maine Attorney General.

Quorum Federal Credit Union in Purchase, New York told 17,054 consumers that their financial account numbers or card numbers had been compromised in a breach, according to a filing with the Maine Attorney General.

A spokeswoman for Cadence Bank in Tupelo, Mississippi confirmed that the bank’s instance of MoveIt had been compromised but that an investigation into the matter was ongoing. “If we find that any customer information has been impacted, we will notify those customers and disclose all the necessary information,” she said.

Delisted and unconfirmed victims

Cl0p claimed to have compromised the data of multiple banks and credit unions that did not respond to requests by American Banker for comment and have not otherwise publicly reported breaches. Others that Cl0p listed as victims do not appear to have actually been compromised.

For example, a spokeswoman for East West Bank said that “no sensitive data had been compromised, nor was there any impact to our systems from the incident,” to the bank’s knowledge.

“This tool is used to transfer files for a very small number of commercial clients,” the East West Bank spokeswoman said. “We immediately launched an investigation, implemented preventative security measures and eliminated the vulnerability.”

Cl0p also listed HealthEquity, a fintech that provides health savings accounts, as a victim, but the company said in an update on its website that there is “no evidence of exposure regarding any personally identifiable data or client information at this time.” A spokeswoman for the company said HealthEquity has not paid any ransom to Cl0p, which has delisted HealthEquity as a victim.

Putnam Investments told Bleeping Computer that the institution was investigating the matter after Cl0p listed the investment bank as a victim.

Nine additional banks and credit unions are listed by Cl0p as victims, as well as one payments provider, but none have publicly acknowledged a breach.

As of Friday, the total number of consumers who had data compromised in a MoveIt breach exceeds 20 million, according to Emsisoft security researcher Brett Callow. Given that banks and credit unions continue to confirm breaches, that number is expected to grow.

Leave a Comment