PwC: ‘Limited’ Client Data Impacted In MOVEit Cyberattacks
The company says it has contacted the ‘small number of clients whose files were impacted’ after the cybercriminal group Clop claimed to have stolen some of PwC’s data.
PricewaterhouseCoopers acknowledged Thursday it has become one of the latest victims impacted by the widespread cyberattack campaign exploiting a vulnerability in the MOVEit file transfer tool.
PwC confirmed to CRN that it has used Progress’ MOVEit product and that it has been affected by the attacks, but characterized the impacts on the company and its clients as “limited.”
“Our investigation has shown that PwC’s own IT network has not been compromised and that MOVEit’s vulnerability had a limited impact on PwC,” the company said in a statement provided to CRN .
[Related: Progress Slams Researcher For Tweeting Zero-Day MOVEit Vulnerability]
PwC said Thursday it has notified the “small number of clients whose files were impacted” in the incident. The company said it had utilized MOVEit “with a limited number of client engagements.”
PwC added in its statement that it had halted use of MOVEit “as soon as we learned of this incident.” The disclosure came after cybercriminal group Clop posted on its darkweb site that it has obtained PwC data. The Russian-speaking group has been demanding extortion payments from victim organizations in exchange for not posting stolen data on its site.
The group also posted that it has obtained data from Ernst & Young. The firm is “thoroughly investigating systems where data may have been accessed,” Ernst & Young said in a statement from last week.
“We have verified that the vast majority of systems which use this transfer service across our global organization were not compromised,” the company said in the statement provided to outlets including CRN.
While a series of vulnerabilities have been discovered recently in Progress’ MOVEit tool, the original flaw (tracked at CVE-2023-34362) has seen the widest exploitation by Clop in recent weeks. The vulnerability can enable escalation of administrative privileges and unauthorized access, Progress has said.
Growing List Of Victims
The California Public Employees’ Retirement System (CalPERS), which is the largest public pension fund in the U.S., confirmed Wednesday that it has been impacted by the MOVEit attacks. A CalPERS representative reportedly said Thursday that the data of 769,000 retirees was compromised.
Insurance firm Genworth, meanwhile, said Thursday that the data of as many as 2.7 milliion customers was impacted in a MOVEit-related breach.
CalPERS and Genworth both said the breaches stemmed from the hack of third-party vendor PBI Research Services.
A total of 97 organizations are known to have fallen victim to the MOVEit attacks so far, according to a tally by Emsisoft threat analyst Brett Callow.
Multiple U.S. government agencies have been impacted by the attacks, according to the Cybersecurity and Infrastructure Security Agency. At least two Department of Energy facilities—including a storage site for radioactive waste in New Mexico—have reportedly been among the victims. State agencies including the Louisiana Office of Motor Vehicles and the Oregon Driver and Motor Vehicles division have confirmed that sensitive data, including driver’s license files, has been stolen in the attacks.
Other confirmed victims of the attacks have included Shell, Johns Hopkins University and Health System, British Airways, the BBC and the Government of Nova Scotia.