MOVEit ransomware attack highlights importance of managing supply-chain cyber risks

Published on 7th Jun 2023

UK and international breaches are a timely reminder that organisations need to properly assess supply chain security

DT_mobile-laptop

Cyber criminals have successfully exploited a zero-day vulnerability in the MOVEit file transfer tool, according to recent media reports. The breach is likely to have affected thousands of organisations internationally, including many in the UK.

The system, produced by US-based Progress Software, is designed to allow customers to securely transfer sensitive information between different entities and systems. In a security advisory, Progress Software confirmed that a threat actor could exploit an SQL injection vulnerability allowing them to gain access to MOVEit's database.

A MOVEit spokesperson told Osborne Clarke that the software was patched within 48 hours and the company "has implemented a series of third-party validations to ensure the patch has corrected the exploit".

The attack has been claimed by Russian-speaking ransomware group Clop. Among those affected are a number of clients of the payroll support services provider Zellis, which used the MOVEit software, including some high-profile businesses in the UK. Reports indicate that compromised personal data included contact information, National Insurance numbers and bank details.

Osborne Clarke Comment

The attack is a timely reminder of the importance of properly assessing the cyber-security posture of the whole of an organisation's supply chain, including sub-contractors.

This is an area that is receiving increased attention , with the UK's National Cyber Security Centre having released guidance on supply chain mapping earlier this year, following on from its guidance on assessing supply chain cyber security in autumn 2022.

When it comes to implementing appropriate technical and organisational measures, organisations need to be aware that it may not be sufficient to rely on the security measures and assessments of third parties without performing some level of due diligence themselves. Supply chain vulnerabilities, in particular, have been at the heart of a number of high-profile cyber incidents which have caught the attention of the ICO. From a legal perspective, organisations need to consider whether they have adequate contractual rights to transparency and compensation to allow them to comply with, respectively, their regulatory obligations and ensure that they are adequately compensated against costs and liability exposure that can arise from a supplier breach.

This Insight was updated on Thursday 8 June 2023.

Follow

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Interested in hearing more from Osborne Clarke?