As the mass-hacking incidents continue to affect users of the widely used file-transfer application MOVEit Transfer, an increasing number of victims are emerging, with nearly 400 organizations now known to be impacted.
In a recent statement, Estée Lauder, a prominent U.S. cosmetics company, revealed that an unauthorized third-party managed to access some of its systems and obtain data. However, the company did not provide further details or directly associate the incident with MOVEit.
The notorious Clop ransomware gang, reportedly responsible for the series of MOVEit mass-hacks, claimed responsibility for stealing gigabytes of data from various companies, including Estée Lauder's archives. Furthermore, another ransomware gang listed Estée Lauder as one of their victims.
In recent developments, Clop's leak site disclosed other affected organizations, such as the U.K. government's communications regulator Ofcom and Ireland's general communications regulator ComReg.
Interestingly, while Ofcom and ComReg were initially listed on Clop's leak site, they have since been removed. Clop claims to delete government-related data it acquires, potentially explaining why U.S. government agencies have not yet been publicly disclosed.
However, the Cybersecurity and Infrastructure Security Agency (CISA) previously acknowledged that several U.S. government agencies experienced intrusions related to the MOVEit breach, with the U.S. Department of Energy confirming two of its entities were affected.
Despite backtracking on some threats, Clop is still intent on releasing data stolen from other organizations, including consultancy giant Ernst & Young and stockbroker TD Ameritrade.
They have already published a large amount of data allegedly taken from clients of British multinational professional services brand PwC, which stopped using the MOVEit platform. PwC has not disclosed the number of impacted clients or the types of data compromised.
Clop's dark leak site also mentioned other companies, such as a U.S. airline, a Canadian tech firm, and a U.K. payments cybersecurity company, without any response from them.
The full extent of the damage caused by the MOVEit mass-hacks remains uncertain. According to Brett Callow, a threat analyst at Emsisoft, 381 known victims have been identified so far, impacting the personal data of almost 20 million individuals.
However, considering the average number of individuals per breach and unconfirmed organizations, the potential total of impacted individuals could be much higher, estimated at around 85,955,498 or more, including unknown organizations yet to be discovered.
