Future-proofing supply chains

MOVEit ransomware attack highlights importance of managing supply-chain cyber risks

Published on 7th Jun 2023

UK and international breaches are a timely reminder that organisations need to properly assess supply chain security

DT_mobile-laptop

Cyber criminals have successfully exploited a zero-day vulnerability in the MOVEit file transfer tool, according to recent media reports. The breach is likely to have affected thousands of organisations internationally, including many in the UK.

The system, produced by US-based Progress Software, is designed to allow customers to securely transfer sensitive information between different entities and systems. In a security advisory, Progress Software confirmed that a threat actor could exploit an SQL injection vulnerability allowing them to gain access to MOVEit's database.

A MOVEit spokesperson told Osborne Clarke that the software was patched within 48 hours and the company "has implemented a series of third-party validations to ensure the patch has corrected the exploit".

The attack has been claimed by Russian-speaking ransomware group Clop. Among those affected are a number of clients of the payroll support services provider Zellis, which used the MOVEit software, including some high-profile businesses in the UK. Reports indicate that compromised personal data included contact information, National Insurance numbers and bank details.

Osborne Clarke Comment

The attack is a timely reminder of the importance of properly assessing the cyber-security posture of the whole of an organisation's supply chain, including sub-contractors.

This is an area that is receiving increased attention , with the UK's National Cyber Security Centre having released guidance on supply chain mapping earlier this year, following on from its guidance on assessing supply chain cyber security in autumn 2022.

When it comes to implementing appropriate technical and organisational measures, organisations need to be aware that it may not be sufficient to rely on the security measures and assessments of third parties without performing some level of due diligence themselves. Supply chain vulnerabilities, in particular, have been at the heart of a number of high-profile cyber incidents which have caught the attention of the ICO. From a legal perspective, organisations need to consider whether they have adequate contractual rights to transparency and compensation to allow them to comply with, respectively, their regulatory obligations and ensure that they are adequately compensated against costs and liability exposure that can arise from a supplier breach.

This Insight was updated on Thursday 8 June 2023.

Follow
Interested in hearing more from Osborne Clarke?
Register now for more insights, news and events from across Osborne Clarke
Sign up
Related articles
Relocating supply chains | Balancing risk and reward
26/04/2023 1 mins
How to protect against counterfeit goods in distressed supply chains
09/01/2023 6 mins
Prevention is better than cure when managing global supply chain issues in the retail and consumer sector
23/11/2022 1 mins
How to contingency plan for insolvency in a global supply chain
18/11/2022 3 mins

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Connect with one of our experts

Interested in hearing more from Osborne Clarke?
Register now for more insights, news and events from across Osborne Clarke
Sign up