Share this article on:
Consultancy firm PwC has had its data leaked on the clear web following the attack it suffered as part of the MOVEit hack.
The group behind the attack, Clop, posted data belonging to PwC online, with a total of 11 batches listed on the dark web and four on the clear web.
According to sources speaking with ITWire, the URL of the clear web leak site contains a spelling mistake preventing users from accessing the data.
The sources have said this could very well be intentional and that the hacking group could threaten PwC with correcting the link unless ransom or other terms are met. They also said that this would make the site easier to find and thus be an increased threat to PwC.
However, the same sources said this could also be a real mistake made by the threat actors.
PwC announced it was hit in the MOVEit attack last month, saying it was aware of the incident.
“We are aware that MOVEit, a third-party transfer platform, has experienced a cyber security incident [that] has impacted hundreds of organisations, including PwC. PwC uses the software with a limited number of client engagements,” a statement from the company read.
“As soon as we learned of this incident, we stopped using the platform and started our own investigation.”
PwC added that only a limited number of its clients were affected in the breach, and those that were have been contacted.
It also said that its own systems remain secure and that only the MOVEit database was breached, limiting the data stolen to that PwC had shared with the service.
The MOVEit cyber attack occurred back in May when the software manufacturer, Progress, confirmed the existence of a vulnerability. The vulnerability was flagged by the US government and cyber security researchers on 1 June.
The vulnerability, dubbed CVE-2023-34362, was an SQL injection flaw in the MOVEit Transfer web application, which according to CVE, “could allow an unauthenticated attacker to gain access to MOVEit Transfer’s database.”
CVE adds that the vulnerability was exploited in the wild in May and June.
The attack has led to a total of 379 organisations being breached and a total of 19 million individuals being affected. Victims include a wide range of US government agencies as well as Medibank, Shell and Microsoft.
Following the attack, Clop was quick to release a statement demanding communication, likely for a ransom.
“Clop is one of top organization offer penetration testing service after the fact,” Clop’s ransom notice read, written in broken English.
“This is announcement to educate companies who use progress MOVE1t [sic] product that chance is that we download alot of your data as part of exception, exploit we are the only one who perform such attack and relax because your data is safe.”
“You have 3 day to discuss price and if no agreement you custom page will be created … after 7 days all you data will start to be publication,” the note read.
“You chat will close after 10 not productive day and data will be publish.”