Report: Hackers Exploit File-Transfer Software MOVEit Security Flaw to Steal User Data

Hackers have reportedly stolen data from several users of file transfer tool MOVEit Transfer.

That’s according to a Friday (June 2) report by Reuters, citing a disclosure from software maker Progress Software, which earlier in the week had revealed the vulnerability that it said could lead to potential unauthorized access into users’ systems.

The report said it was not immediately clear which organizations — or how many — use the software and were affected by the potential breaches, though Progress Software Chief Information Officer Ian Pitt said his company had made fixes available since discovering the vulnerability May 28.

report by TechCrunch noted that the vulnerability also affects customers who rely on MOVEit’s cloud platform, according to security researcher Kevin Beaumont, who said the U.S. Department of Homeland Security and several “big banks” could be impacted.

According to Reuters, two companies — cybersecurity firm Rapid7 and Google-owned Mandiant Consulting — said they had uncovered several cases in which hackers exploited the flaw to steal data.

“Mass exploitation and broad data theft has occurred over the past few days,” Charles Carmakal, chief technology officer of Mandiant Consulting, said in a statement.

The Mandiant statement added that these “zero-day,” or previously unknown, vulnerabilities in managed file transfer solutions have — in the past — led to data theft, leaks, extortion and victim-shaming.

“Although Mandiant does not yet know the motivation of the threat actor, organizations should prepare for potential extortion and publication of the stolen data,” Carmakal said.

The news comes at a time when cyber and data security top the list of concerns of companies that manage international workers. Recent research by PYMNTS and NIUM found that 39% of organizations cite data and cybersecurity as a friction point.

Meanwhile, PYMNTS looked at the role of ethical hackers in cybersecurity — and their duty to inform companies of their findings — earlier this year in a conversation with Inti De Ceukelaire, chief hacker officer at cybersecurity firm Intigriti.

“I would just shoot companies an email and say, ‘I don’t have any bad intentions. I just think that this is something that you should know about,’” he said, adding that he never wished to get in trouble or be penalized for doing the right thing.

However, De Ceukelaire said he grew frustrated when companies would give him the cold shoulder, especially when it involved uncovering large swaths of confidential data like medical records, Social Security numbers or government information threatening thousands of people.

“I’m talking about companies making billions and we’re exposing their customer data, but they didn’t care,” he said. “They didn’t even bother to respond to my emails, and sometimes it was very hard to even find the proper email address.”