MOVEit Breach Confirmation for Georgia University System Comes in One Year Late

by | May 16, 2024

Georgia’s university system was thought to be among the first wave of organizations compromised when the MOVEit breach emerged in May 2023, but notifications have just recently been issued to about 800,000 likely victims.

The late reporting is likely not a breach of any laws, as the university system is allowed an unspecified amount of “reasonable time” to conduct an investigation into the details of impacted parties. But it is long after the hackers likely dumped the data in retribution or sold it privately, as all indications are that the university system did not make a payment.

Breach of Georgia university system included highly sensitive information

With this addition, the MOVEit breach is now over 95 million total records exposed (and apparently still growing). Georgia’s university system of 26 schools joins at least 900 other schools in the country that were breached as part of the incident, which began in late May of last year and was not patched out until June 15. Notifications are still rolling in as organizations complete their internal investigations and determine exactly how much damage was done and who needs to be contacted.

The Cl0p ransomware gang seemingly abandoned the ransomware aspect for the MOVEit breach campaign, opting instead to quietly infiltrate lots of victims before the zero-day vulnerability they were feasting off of became apparent to anyone. Their extortion campaign is now approaching a total of almost 2,800 victim organizations a year after the fact.

The Georgia university system breach appears to be one of the more damaging due not just to the victim count, but the range of highly sensitive information that was included. The data appears to vary by individual victim but can include full Social Security numbers or Tax ID numbers, bank account numbers, driver’s license numbers or dates of birth.

Cleanup of massive MOVEit breach continues one year later

The university system did confirm that it became aware of the intrusion during the early days of the MOVEit breach, and removed the software from its network near the end of May last year. But unless the victims happen to keep up with cybersecurity news, the breach notification may be the first they are hearing about their sensitive data being stolen. They are being offered free credit monitoring, but it is too little too late for data that was likely dumped or sold by July or August of last year.

The incident highlights many of the usual cybersecurity lessons for organizations, but perhaps more importantly should demonstrate to US data subjects that the current law does not necessarily force their data holders to publish timely breach notifications. Periodic checks of the “HaveIBeenPwned” website are not a bad idea given this reality, as is subscribing to some sort of dark web monitoring service that can give an early heads-up on potentially relevant data breaches. And even if a breached organization makes a ransom payment, the data could still surface months to years later.

Recent Posts

How can we help?

4 + 5 =

× How can I help you?