Share this article on:
The infamous ALPHV ransomware group has filed a complaint about one of its victims to the US Securities and Exchange Commission (SEC) after it failed to disclose that it had been attacked.
The threat group, which also goes by the name BlackCat, listed MeridianLink, a financial software company, on its site, saying it filed the SEC complaint.
“The recent adoption of SEC rules mandates public companies to promptly disclose material cyber security incidents under Item 1.05 of Form 8-K within four business days of determining such incidents to be material,” said ALPHV.
“Despite this requirement, MeridianLink has not fulfilled this obligation regarding the breach it experienced a week ago.
“We have therefore reported this non-compliance by MeridianLink, who was involved in a material breach impacting customer data and operational information, for failure to file the required disclosure with the Securities and Exchange Commission (SEC).”
Accompanying the listing was a screenshot of the SEC complaint application process that had been filled out by the threat group, as well as automated confirmation.
ALPHV BlackCat allegedly files SEC complaint against MeridanLink for failure to file a cybersecurity incident.@Mandiant pic.twitter.com/DHEKLEo4DV
— Dominic Alvieri (@AlvieriD) November 15, 2023
ALPHV also said it would leak the data it had stolen from MeridianLink unless it paid the ransom within 24 hours.
The move by ALPHV is far from typical but an effective way to pressure a victim into making a move, whether that be paying a ransom or facing legal punishment.
Unfortunately for ALPHV, MeridianLink may be safe from regulatory or legal consequences. While the threat group is correct in saying that the SEC will require organisations to disclose a cyber breach within four days of discovery, these are new reporting rules that will not become active until next month.
Furthermore, government officials confirmed last week at the Aspen Cyber Forum that breaches only need to be reported four days after they have been classed as having a significant impact, not four days exactly after discovery.
Following the incident, MeridianLink has confirmed that it has suffered a cyber security incident, but it has said that there is nothing to suggest an actual cyber attack.
“Upon discovery, we acted immediately to contain the threat and engaged a team of third-party experts to investigate the incident,” a spokesperson from MeridianLink said.
“Based on our investigation to date, we have identified no evidence of unauthorised access to our production platforms, and the incident has caused minimal business interruption.
“If we determine that any consumer personal information was involved in this incident, we will provide notifications, as required by law.”