The UK's broadcasting regulator, Ofcom, has confirmed that it is amongst the organisations whose data has been stolen as a result of the massive MOVEit supply-chain cyber attack.
In a statement posted on its website, Ofcom confirmed that a "limited amount of information" about companies it regulated, alongside the personal data of over 400 employees, was stolen.
Cl0p, the Russia-linked cybercrime gang behind the exploitation of a critical flaw in Progress Software's MOVEit file transfer tool, has given Ofcom and hundreds of other companies until tomorrow (June 14) to begin negotiations or face the consequences.
The challenge for some organisations who will have had their data stolen is that they may be entirely unaware that they were at risk.
For instance, some corporations have only been impacted because they used a third-party supplier such as Zellis to manage their payroll, and it was Zellis who were using Progress Software's MOVEit tool that contained the vulnerability.
Such is the wide scale of the attack, and the likely huge amount of data it managed to steal, that the Cl0p gang took the unusual step of not contacting companies who had had their data stolen. Instead a blackmail message was posted on Cl0p's dark web leak site telling any firm that did not want its breach to be made public that it should get in touch.
Other organisations which are known to have been impacted by the MOVEit vulnerability include the BBC, UK high street pharmacy Boots, airlines British Airways and Aer Lingus, and Ireland's healthcare service.
Organisations using MOVEit Transfer would be wise to read Progress Software’s security bulletin, and follow the advice to mitigate the threat.
Meanwhile, a second vulnerability has been uncovered in MOVEit, after Progress Software called in a third-party to conduct a code review.