MeridianLink confirms cyberattack after ransomware gang claims to report company to SEC

Financial software company MeridianLink confirmed that it is dealing with a cyberattack after the hackers behind the incident took extraordinary measures to pressure the company into paying a ransom.

MeridianLink, which reported more than $76 million in revenue last quarter, provides tools to banks, credit unions, mortgage lenders and consumer reporting agencies in the United States.

This week, the company was added to the leak site of AlphV/Black Cat, a ransomware gang believed to be based in Russia that has been involved in several brazen attacks, including the takedown of MGM Resorts.

A spokesperson for MeridianLink confirmed to Recorded Future News that they recently identified a cybersecurity incident.

“Upon discovery, we acted immediately to contain the threat and engaged a team of third-party experts to investigate the incident,” the spokesperson said.

“Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption. If we determine that any consumer personal information was involved in this incident, we will provide notifications, as required by law.”

The attack drew the interest of security researchers because AlphV claimed on its leak site that it reported MeridianLink to the Securities and Exchange Commission (SEC) for not informing the regulator of the incident, which they claim took place a week ago. AlphV confirmed to DataBreaches.net that it sent the SEC a notice about the attack.

The ransomware gang later shared a photo of the form it sent the SEC and erroneously claimed MeridianLink violated the SEC’s much-discussed new reporting rules, which in fact do not take effect until next month.

If the rules were in effect, the company would have four days from when they detected a “material” cyber event to report the incident. Companies and cybersecurity executives continue to debate what the SEC considers “material” and the SEC plans to release more guidance on the term.

But during a talk at the Aspen Cyber Forum this week, several government officials confirmed that the rules do not mean that attacks need to be reported four days after they are discovered, but only after they are considered to have a significant effect on a company’s bottom line.

ALPHV BlackCat allegedly files SEC complaint against MeridanLink for failure to file a cybersecurity incident.@Mandiant pic.twitter.com/DHEKLEo4DV

— Dominic Alvieri (@AlvieriD) November 15, 2023

A SEC spokesperson declined to comment when asked about the form or whether MeridianLink needed to report the incident.

The brazen move was the latest extortion tactic used by ransomware gangs in their attempt to use any means necessary to extract ransoms out of victims. Another ransomware gang this summer threatened to report companies to European regulators for alleged violations of the General Data Protection Regulation — the European Union’s far-reaching privacy law — if they did not pay ransoms.

Jim Doggett, CISO at cybersecurity company Semperis, told Recorded Future News that the move, while eye-popping, may leave the group in the crosshairs of U.S. law enforcement agencies.

“Drawing unneeded attention to themselves isn’t wise if they are looking to keep the gravy train of profitability running,” he said.

Ilia Kolochenko, CEO at application security company ImmuniWeb, noted that misuse of the new SEC rules to put additional pressure on publicly traded companies was foreseeable.

“Ransomware actors will likely start filing complaints with other US and EU regulatory agencies when the victims fail to disclose a breach within the timeframe provided by law. Having said that, not all security incidents are data breaches, and not all data breaches are reportable data breaches,” said Kolochenko, who also serves as an adjunct professor of cybersecurity and law at Capitol Technology University.

“Therefore, regulatory agencies and authorities should carefully scrutinize such reports and probably even establish a new rule to ignore reports uncorroborated with trustworthy evidence, otherwise, exaggerated or even completely false complaints will flood their systems with noise and paralyze their work.”