Norton LifeLock owner, Vancouver Transit Police confirm MOVEit breaches

New victims have come forward to confirm that their data was accessed through the exploitation of vulnerabilities in the MOVEit file transfer tool — a tactic cybercriminals have used in several high-profile incidents over the last three weeks.

Cybersecurity giant Gen — which owns well-known brands like Norton, Avast, LifeLock, Avira, AVG, ReputationDefender and CCleaner — confirmed to Recorded Future News that some of its employee data was accessed.

A spokesperson for Gen said employees use MOVEit for file transfers, and the company started an investigation after discovering the malicious activity. The incident had “no impact” on the company’s IT systems, services or customer information, the spokesperson said.

“Unfortunately, some personal information of Gen employees and contingent workers was impacted which included information like name, company email address, employee ID number, and in some limited cases home address and date of birth,” the spokesperson said.

“We immediately investigated the scope of the issue and have notified the relevant data protection regulations and our employees whose data may have been impacted.”

This is the second incident to affect the company this year after 925,000 inactive and active Norton accounts were locked down due to widespread credential stuffing incidents — where attackers use large lists of previously compromised usernames and passwords to try to access accounts.

Vancouver agency, University of Missouri and more

Gen was not alone in announcing MOVEit-related issues. The Metro Vancouver Transit Police, the University of Missouri and a state agency in Colorado all confirmed that they are investigating incidents involving the exploitation of their MOVEit instances.

A University of Missouri spokesperson confirmed that the school is investigating a security breach after the Clop ransomware group named the school as one of its victims.

Since last week, the gang has posted dozens of high profile victims it allegedly attacked through the MOVEit file transfer software. The victims range from high-profile businesses to several banks, hospitals and universities.

The Metro Vancouver Transit Police published a statement saying hackers accessed 186 files that had been transferred using MOVEit. The organization said it is still examining what data is in the files but confirmed that the hackers never had access to the Transit Police network.

They added that the Royal Canadian Mounted Police is also leading an investigation into what happened.

Colorado joined several other U.S. states in announcing MOVEit breaches, with its Department of Health Care Policy & Financing confirming that it is in the process of investigating an incident involving the data of state residents.

“Early analysis indicates that it is reasonable to believe personal identifiable information of individuals served by Health First Colorado (Colorado’s Medicaid program), the Child Health Plan Plus (CHP+) - the state’s safety net health coverage programs - could have been impacted,” the state said, adding that anyone who has “applied for or have been covered anytime since 2015 by Health First Colorado or Child Health Plan Plus” needs to protect themselves.

“As soon as the agencies have determined the extent of and the specifics related to the impact, HCPF will directly notify individuals. Concurrent to this work, HCPF experts are working with the national third party vendor to investigate and address the cybersecurity intrusion with the specific goal of preventing any further data file compromises.”

The controversy around MOVEit continues to expand just weeks after the software’s first vulnerability was discovered.

As of Wednesday, at least three federal U.S. agencies — the departments of Energy and Agriculture as well as the Office of Personnel Management — were affected by the issue. CISA Director Jen Easterly said “several” federal agencies were impacted but would not say how many.

In addition to the federal agencies, organizations affected include:

• U.S. state-level agencies in Illinois, Missouri, Minnesota, Oregon and Louisiana
• Oil giant Shell
• Canadian government bodies in Nova Scotia
• Schools like Johns Hopkins University, the University of Georgia and the University of Rochester
• Organizations in the U.K., like communications regulator Ofcom, the BBC, British Airways, Irish carrier Aer Lingus and pharmacy chain Boots

Progress Software, the company behind MOVEit, last week announced two new vulnerabilities in the product requiring urgent remediation.

The company is now also facing a federal class action lawsuit over its handling of the fiasco, according to Bloomberg News.