Bank of America and Ernst & Young Settle MOVEit Breach Claims for $2.5 Million

Context The 2023 MOVEit Transfer data breach impacted thousands of organizations globally. Attackers exploited a critical vulnerability in Progress Software's MOVEit Transfer, a widely used secure file transfer solution. This incident became a significant supply chain attack, as threat actors accessed data managed by various third-party vendors for their clients.

Key Facts Bank of America and professional services firm Ernst & Young (EY) settled claims related to this incident for $2.5 million. The breach exposed sensitive information when the Clop ransomware group exploited a zero-day SQL injection vulnerability, identified as CVE-2023-34362, in the MOVEit Transfer application.

The attack vector allowed unauthorized access to the application's database, enabling data exfiltration. EY, a vendor for Bank of America, was among the organizations that utilized MOVEit Transfer, leading to the potential exposure of Bank of America customer data.

What It Means This settlement highlights the significant financial and reputational risks organizations face when their third-party vendors experience data breaches. Businesses are increasingly held accountable for the security posture of their entire supply chain, not just their direct infrastructure.

What Defenders Should Do Organizations must prioritize rigorous third-party risk management. This includes comprehensive security assessments of all vendors, ensuring their compliance with stringent data protection standards, and requiring prompt patching.

Immediate actions include patching all instances of MOVEit Transfer software to address CVE-2023-34362 and subsequent vulnerabilities. Network segmentation for critical systems like secure file transfer solutions can limit lateral movement during a breach. Implement robust logging and monitoring to detect unusual activity, and regularly review access controls for systems handling sensitive data. Organizations should also develop and test incident response plans specifically for third-party breaches.

Watch for continued legal and financial repercussions from the MOVEit breach, as more affected organizations and individuals may seek compensation.