DHL investigating MOVEit breach as number of victims surpasses 20 million

The United Kingdom arm of shipping giant DHL said it is investigating a data breach sourced back to its use of the MOVEit software, which has been exploited by a Russia-based ransomware group for nearly two months.

In a statement to Recorded Future News, DHL confirmed that one of its software providers was impacted by the vulnerability affecting MOVEit, a file-sharing tool from Progress Software.

“Upon being made aware of the incident, DHL quickly launched an investigation working with relevant experts to understand the impacts,” a spokesperson said. “This investigation is ongoing, and we will continue to communicate with those affected when we have more information to share."

DHL becomes the latest major company to announce a breach related to the Clop ransomware gang’s exploitation of the MOVEit bug. Progress Software has patched the software, but the cybercriminals have still been able to find unpatched targets.

Researchers from Emsisoft have been tracking the number of companies involved, finding that at least 383 organizations have been affected and the information of 20,421,414 people has been leaked as a result.

Multiple organizations filed documents with regulators in Maine this week confirming the data that was accessed through MOVEit. Some banks and financial institutions said hundreds of thousands of customers were affected while higher-profile organizations confirmed breaches with smaller numbers of victims.

Popular online poker cardroom PokerStars said its breach involved the Social Security numbers of 110,291 people, while Pennsylvania-based Franklin Mint Federal Credit Union said 140,963 had their Social Security numbers accessed by Clop ransomware actors.

1st Source Bank exposed the sensitive data of 450,000 customers through its use of MOVEit, providing victims with two years of identity protection services. Most victim organizations have taken similar steps.

Fidelity & Guaranty Life Insurance Company said about 873,000 people had their Social Security numbers and more leaked. The financial services company noted that its exposure was due to data shared with PBI Research Services — an audit company that has already been implicated in the MOVEit breaches of dozens of organizations, including many of the largest pension funds in the U.S. and universities across the world.

The company filed its own documents with state and federal regulators warning that the personal information of millions of people were leaked due to the MOVEit vulnerability.

The American Civil Liberties Union Foundation was also affected by the PBI breach, revealing this week that 575 donors and beneficiaries were affected by the situation.

Coveware CEO Bill Siegel told BleepingComputer that Clop’s ’s MOVEit-centered attacks were far more successful than the group’s previous attacks on file transfer tools because the sheer number of vulnerable companies meant they could focus on victims they knew would pay ransoms.

Researchers at Coveware released a report on Friday indicating that the Clop ransomware group may end up earning anywhere from $75 million to $100 million just from the MOVEit campaign, with that sum “coming from just a small handful of victims that succumbed to very high ransom payments.”

“This is a dangerous and staggering sum of money for one, relatively small group to possess,” the researchers said. “For context, this amount is larger than the annual offensive security budget of Canada.”