trending
Today, in a global first, cyber criminals have upped their game by filing a complaint to the US Securities and Exchange Commission (SEC), reporting a company it claims to have hacked for failure to declare the cyber incident.
Cyber criminals report company to SEC
Following a growing number of cyber security incidents at US organizations in 2022 and 2023, the SEC adopted new rules that required publicly traded companies to report cyberattacks that have a material impact on the company.
Cyber security incident reporting is “due four business days after a registrant determines that a cyber security incident is material,” the new rule states.
Now the ALPHV/BlackCat ransomware operation has ramped up its blackmail operation to a new level by filing the SEC complaint against one of its victims for not complying with the four-day rule to disclose the attack.
ALPHV listed MeridianLink, a publicly traded company that provides digital solutions for financial organisations, on their data leak with a threat that they would expose allegedly stolen data unless a ransom was paid within 24 hours.
Cyber criminals report hack!
According to DataBreaches.net, ALPHV said they breached MeridianLink’s network on 7th November, 2023 and stole company data without encrypting systems.
ALPHV say “it appears MeridianLink reached out, but we are yet to receive a message on their end” (to negotiate a payment in exchange for not leaking the stolen data).
The lack of reported communication from MeridianLink with ALPHV led the gang to increase pressure by sending a complaint to the SEC about not disclosing a cybersecurity incident that impacted “customer data and operational information.”
In their own words, the attacker told the SEC that MeridianLink suffered a “significant breach” and did not disclose it as required in Form 8-K, under Item 1.05.
What does SEC do?
In a statement, MeridianLink said that after identifying the incident it acted immediately to contain the threat and engaged a team of third-party experts to investigate.
The company added that it is still working to determine if any consumer personal information was impacted by the cyberattack and it will notify affected parties if so.
“Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption.”
While many ransomware and extortion gangs have threatened to report breaches and data theft to the SEC, this is the first public confirmation that they have done so.
However, it should be noted that the SEC’s new cybersecurity rules are set to take effect on 15th December, 2023.
Comments