TJ Maxx, Shutterfly, TomTom latest organizations to confirm MOVEit breaches
More than 350 organizations have said they had data accessed or stolen after a vulnerability was exploited in the widely-used MOVEit file transfer software, with a slew of new companies and educational institutions confirming they were affected in recent days.
The Clop ransomware gang on Monday continued its trend of adding new victims to its leak site in batches of about 10.
CL0P #ransomware group added 9 new victims to their #darkweb portal.
— FalconFeedsio (@FalconFeedsio) July 17, 2023
- TJX Companies Inc
- Vitesco Technologies
- Valmet
- Fortescue
- DESMI
- Crum & Forster
- Compucom
- Sierra Wireless
- RCI #clop #moveit #deepweb #cyberrisk #infosec #USA #Germany… pic.twitter.com/7u3lcQA1si
TJX Companies, the corporate entity behind popular retail brands like TJ Maxx (TK Maxx in Canada and Europe), Marshalls, HomeGoods, HomeSense and Sierra, confirmed to Recorded Future News that it was impacted by the attacks on MOVEit.
“Although we are aware some files were downloaded by an unauthorized third party before Progress notified us of the vulnerability, based on current information, we do not believe there was any unauthorized access to any customer or Associate personal information on TJX’s systems or any material impact to TJX,” a spokesperson said.
“We take protecting the data of our customers, Associates, and vendors seriously and we continue to monitor the situation closely.”
The corporation reported more than $11.7 billion in net sales for the last fiscal quarter from the over 4,500 retail locations they operate. They did not respond to follow up questions about what information was involved.
While several of the companies listed by Clop have so far declined to comment, many have been open about being affected by the incident. Clop, believed to be based in Russia, exploited a vulnerability in MOVEit’s software in May, allowing it to gain access to data from hundreds of organizations.
Location technology company TomTom told Recorded Future News last week that it notified relevant authorities about its MOVEit breach while photography platform Shutterfly also confirmed that its enterprise business unit had data accessed.
A spokesperson for Shutterfly said the Shutterfly Business Solutions (SBS) used the MOVEit platform for some operations.
“Upon learning of the vulnerability in early June, the company quickly took action, taking relevant systems offline, implementing patches provided by MOVEit, and commencing a forensics review of certain systems with the assistance of leading forensic firms,” they said.
To date, 57 of the 357 orgs impacted by #MOVEit have confirmed the # of individuals impacted, and that adds up to 18,661,546. The education sector has been particularly hard hit, with the 59 US schools impacted via #NSC, #TIAA, et al. 91/357 were impacted via 3rd parties. 2/2
— Brett Callow (@BrettCallow) July 17, 2023
“After a thorough investigation with the assistance of a leading third-party forensics firm, we have no indication that any Shutterfly.com, Snapfish, Lifetouch nor Spoonflower consumer data nor any employee information was impacted by the MOVEit vulnerability.”
They did not say what data was taken.
Billion-dollar industrial manufacturing corporation Emerson, which was named by Clop ransomware actors last week, said its investigation found that no data containing sensitive information impacting their business or customers was accessed.
“After learning that company data was accessed through the MOVEit application, we took immediate and comprehensive measures to address the vulnerability and assess impact,” a spokesperson said.
“The only system accessed was that hosting the MOVEit application. Emerson’s IT applications and infrastructure were not accessed or affected in this incident. We have taken actions to further enhance the security of file sharing tools.”
Several other companies named by Clop, like Japan Tobacco International USA, also confirmed they were users of MOVEit and were affected by the incident.
Colleges, pension funds and governments
Alongside the companies and corporations dealing with breaches related to MOVEit, dozens of schools have been forced to release notices due to information they sent through it to the National Student Clearinghouse (NSC) and the Teachers Insurance and Annuity Association of America (TIAA).
The latest schools to announce include:
- The University of Oklahoma
- Drake University
- Augsburg University
- Colorado State University
- University of Colorado
- Western University of Health
- University of Delaware
- Stony Brook University
- Rutgers University
- Abilene Christian University
- The New Mexico Military Institute
- Loyola University Chicago
- Washington State University
- Hamilton College
- As well as seven colleges and universities in Idaho.
The Florida government of Hillsborough County also confirmed that it was affected by the incident. Both the Employees Retirement System of Rhode Island and the government of Nova Scotia, Canada provided updates on their own exposure to the attacks.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.