A hacking group recently utilized an unexpected tactic after successfully infiltrating a financial software company’s network. The group reported the breach to the US Securities and Exchange Commission (SEC), putting pressure on the company to disclose the security incident to the appropriate authorities.
The incident was originally reported by DataBreaches.net, outlining the actions of the notorious ALPHV / BlackCat group. This group has a history of conducting breaches against a wide range of entities including MGM Resorts and Reddit, displaying their capacity to infiltrate sophisticated networks. In the case of the financial software company MeridianLink, the hackers breached the servers on November 7, exfiltrating company data without encrypting it. When the company failed to engage in direct negotiations, the hackers escalated the situation by filing a report with the SEC.
The hackers cited a new rule passed by the SEC in the summer, which mandates companies to report “material cybersecurity incidents” to the agency within four business days. However, there is some ambiguity regarding the effective date of this rule. Official forms suggest that the rule went into effect 90 days after publication in the Federal Register, potentially setting the alleged effective date in early December. This confusion was further compounded by reports from Reuters and additional statements from the Federal Register. Engadget reached out to the SEC for clarification on the status of the rule’s implementation.
In response to the incident, MeridianLink assured that they swiftly responded to contain the threat. According to a statement provided to BleepingComputer, the company stated, “Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption.” MeridianLink also noted that they are in the process of determining if any consumer personal information was compromised and are committed to notifying affected individuals if necessary.
The situation with MeridianLink’s failure to report the incident within the stipulated timeframe indicates that the SEC’s rule could ironically provide a new avenue for cyber attackers to exert pressure on companies. Instead of directly contacting customers or engaging in coercive tactics, hackers might exploit the rule by leveraging it as a method to prompt companies to comply with their demands or risk regulatory action.
This incident underscores the evolving landscape of cybersecurity breaches and the complex interplay between regulatory compliance and cyber threats. As organizations continue to grapple with the increasing sophistication of cyber attacks, it is imperative for both public and private sectors to remain vigilant and proactive in addressing cybersecurity vulnerabilities.
The incident involving MeridianLink and the hackers’ actions in reporting the breach to the SEC highlights the need for robust cybersecurity measures and comprehensive incident response protocols within organizations. Additionally, it emphasizes the necessity for clear and unambiguous regulatory frameworks to address cybersecurity incidents effectively.
As the cybersecurity landscape continues to evolve, it is crucial for stakeholders to collaborate and stay abreast of emerging threats and regulatory developments. By fostering a culture of cybersecurity awareness and resilience, organizations can better mitigate the risk of cyber attacks and effectively respond to security incidents when they occur.