Multinational accounting firms PricewaterhouseCoopers (PwC) and Ernst & Young (EY) are among the seemingly ever-growing list of victims linked to a cyber security incident that originated with data transfer service, MOVEit.
A supply chain cyber attack launched at MOVEit by ransomware gang Clop has resulted in a series of data breaches for a large number of high-profile brands including Health Service Ireland (HSE) and payroll services provider Zellis. The breach of Zellis has also led to further breaches of their clients, which include the British Broadcasting Company (BBC), airline British Airways and health and beauty retailer Boots.
A spokesperson for PwC said that the firm was “aware that MOVEit, a third party transfer platform, has experienced a cybersecurity incident which has impacted hundreds of organisations including PwC”. They went on to say that while the firm uses MOVEit software for a “limited number of client engagements”, once the cyber attack against MOVEit was discovered, the firm stopped using the software and launched their own investigation into the cyber security incident.
PwC has said they believe the breach will have a “limited impact” and that the company’s network had not been affected by the data breach.
Likewise, EY said they immediately halted all use of MOVEit software once its critical vulnerability came to light. The company has launched its own internal investigation also, and says it has taken steps to secure and protect any data that may have been accessed during the cyber attack.
An EY spokesperson said that while the vast majority of systems which use MOVEit within EY are “secure and were not compromised”, the company will be contacting all those affected, as well as the relevant authorities.
What happened during the MOVEit cyber attack?
The cyber attack against MOVEit saw ransomware gang Clop exploit a critical zero-day vulnerability in MOVEit’s infrastructure. This allowed the malicious actors to break into multiple company networks and steal data.
The vulnerability was flagged by security researchers and the US government on June 1. The US Cybersecurity and Infrastructure Security Agency (CISA) urged all MOVEit clients to check for indications that malicious actors had gained unauthorized access to their networks over the past 30 days and to download and install the software patch released by MOVEit to address the issue.
Ransomware gang Clop later took ownership of the cyber attack by attempting to exploit its victims. In a post on the gang’s Telegram channel, the malicious actors demanded victims pay them by June 14, or their data would be released.