EY MOVEit Transfer Breach Exposes Bank of America Data

On Aug 9, 2023, Ernst and Young (EY) was breached by CI0p who took advantage of a zero-day vulnerability in the software MOVEit. The bug used in the attack was Structured Query Language (SQL) which is used to insert malicious code. Cyberwire states “The bug is particularly dangerous because attackers can use the initial SQL injection for secondary attacks, which could mean that hundreds of breached organizations are only the first wave of a massive tsunami.” 

MOVEit allows someone to transfer files/data between servers, systems, etc. all using a common folder. It also has features that allow the user to control who and how the data is transferred. The most important feature however is that users can secure critical data in transit and at rest with advanced security features and proven encryption. It also allows the user to leverage authorization and authentication. 

Now why is this important? EY provides services for the Bank of America (assurance, consulting, strategy, transactions, and tax services) Though it is not specified, EY could have easily used MOVEit to transfer data to servers at Bank of America. As of now, around 30k people from Bank of America were exposed in the attack. Exposed data could’ve included credit/debit data, social security numbers, addresses, etc. Hackers can use this data to open new accounts, unauthorized purchases, and identity theft. CI0p claims to have 3 terabytes of EY’s data. This attack showcases the effectiveness of a single software exploit that can open up many doors.

EY and Bank of America are both taking measures to support victims. EY stated that Bank of America will provide victims with a 2-year complimentary membership in identity theft protection. EY has also sent data breach notification letters to all who were affected.

So far 620 organizations and 40 million people have been affected by CI0p’s MOVEit attacks. Large companies such as American Airlines, Warner Bros Discovery, Honeywell, Autozone, and Pioneer Electronics have been affected.

The average ransom payout is 250k and over 600 companies/organizations have been impacted so far, if only 10% have paid the ransom it is much possible that CI0p has generated around 7 million.



Leave a Reply

Your email address will not be published. Required fields are marked *