More than 16 million people and counting have had data exposed in MOVEit breaches

More than 16 million people are known to have had their information accessed by hackers exploiting vulnerabilities in the MOVEit software thus far, according to researchers tracking the situation — a tally that is likely a fraction of the total amount.

Since June 1, experts have warned of the vulnerability affecting the popular file transfer software, and dozens of the biggest organizations in the U.S. and Europe have since come forward to reveal that they were affected by the situation.

Emsisoft threat analyst Brett Callow, who has been tracking reports from affected organizations and the leak site of the Clop ransomware group, says the number of confirmed victims has now reached at least 158.

Of those, Callow said only 11 — most of them state-level agencies like California’s pension fund or companies forced to file breach notifications — have revealed the number of people who had information accessed by Clop ransomware actors.

“Given that only 11 organizations have so far disclosed the number impacted by their MOVEit breach, it’s likely that massively more people were affected than we currently know about,” Callow said.

More come forward

Just this week, the University of California, Los Angeles, Siemens Energy and Schneider Electric revealed that they had data accessed through the MOVEit vulnerability.

Bloomberg and the Associated Press reported that the Department of Health and Human Services is the fourth federal department or agency to be involved in the MOVEit fiasco. Department officials allegedly told Congress that more than 100,000 people were affected by their data breach.

The departments of Energy and Agriculture, as well as the Office of Personnel Management, were also affected by the issue. CISA Director Jen Easterly said “several” federal agencies were impacted but would not say how many.

The National Student Clearinghouse — which provides educational reporting, verification, and research services to nearly every North American college and university — said it notified law enforcement after discovering hackers “obtained certain files transferred through the Clearinghouse’s MOVEit environment, including files containing data that we maintain on behalf of some of our customers.”

The organization has notified multiple institutions whose data was affected about the incident.

“The unauthorized party obtained certain files within the Clearinghouse’s MOVEit environment, which may have included information from the student record database on current or former students,” they said. “We have no evidence that the affected files included the enrollment and degree files that organizations submit to the Clearinghouse for reporting requirements and for verifications.”

Billion-dollar conglomerate Honeywell also revealed that data, including certain personally identifiable information, was accessed by hackers through the MOVEit vulnerability. It is in the process of contacting customers, partners and more.

And Tennessee’s Consolidated Retirement System came forward this week to say it was affected in the same way as California’s Public Employees' Retirement System (CalPERS), with more than 170,000 retirees and beneficiaries affected via a third-party vendor called PBI Research Services/Berwyn Group. Active members’ information was not in the breach.

In addition to the federal agencies, organizations affected include:

• U.S. state-level agencies in Illinois, Missouri, Minnesota, Colorado, Oregon and Louisiana
• Oil giant Shell
• Canadian government bodies in Nova Scotia
• Schools like Johns Hopkins University, the University of Georgia, the University of Rochester and the University of Missouri
• Organizations in the U.K., like communications regulator Ofcom, the BBC, British Airways, Irish carrier Aer Lingus and pharmacy chain Boots
• Cybersecurity giant Gen
• The Metro Vancouver Transit Police
• “Big Four” accounting firms PricewaterhouseCoopers and EY