The U.S. Department of Health and Human Services (HHS) has confirmed that it is one of the many victims of a massive data breach that has affected more than 15.5 million individuals and hundreds of organizations worldwide.
The breach was caused by a security vulnerability in the MOVEit Transfer software, a popular tool for transferring files across networks. The flaw was exploited by the Clop ransomware gang, which stole sensitive data from various government agencies, corporations, universities and other institutions.
According to a report by MSN, HHS notified Congress of the incident on Tuesday, saying that more than 100,000 people could be affected by the exposure of their personal information. HHS did not provide details on the type of data involved, but claimed that none of its systems or networks were compromised.
The MOVEit Transfer vulnerability was discovered last month and patched by its developer, Progress Software, on May 31. However, cybersecurity experts say that many organizations likely had their data exfiltrated before applying the update, without being aware of it.
A growing list of victims
The Clop ransomware gang has been posting the stolen data on its dark web leak site, threatening to extort the victims if they do not pay a ransom. Some of the confirmed victims include:
- The U.S. Department of Energy and other federal agencies
- More than 9 million drivers in Oregon and Louisiana
- Johns Hopkins University, UCLA and other universities
- Siemens Energy, Ernst & Young and other corporations
- The California Public Employees’ Retirement System, the Tennessee Consolidated Retirement System and other pension funds
- The BBC and other media outlets
- British Airways
The breach is one of the largest and most widespread cyber attacks in recent history, affecting millions of people across various sectors and regions. It also highlights the risks of relying on third-party software that may contain hidden vulnerabilities.
Cybersecurity experts advise organizations to update their software as soon as possible and monitor their networks for any signs of compromise. They also recommend implementing strong data encryption and backup policies to protect against ransomware attacks.
The HHS breach is not the first time that the department has been targeted by hackers. In 2015, it was among the victims of a massive cyberattack that compromised the personal data of more than 21 million federal employees and contractors. That attack has been attributed to Chinese hackers.
The HHS breach is also not the first time that Clop has been involved in a major data theft operation. In March, the gang claimed responsibility for hacking into Accellion, a file-sharing service used by many organizations, including law firms, banks and universities. That breach affected more than 100 customers and exposed more than 300 GB of data.
Clop is one of several ransomware groups that have been ramping up their attacks in recent months, targeting critical infrastructure, health care providers and other high-profile targets. The group is believed to operate from Russia or Eastern Europe and use double extortion tactics to pressure their victims into paying.