New York Fines Delta Dental $2.25 Million Over MOVEit Data Breach Exposing 60,000 Files

In May 2023, attackers exploited a zero‑day SQL‑injection flaw (CVE-2023-34362) in Progress MOVEit Transfer to gain unauthorized access to file‑transfer servers. The intrusion went unnoticed until July, when abnormal data exfiltration triggered alerts. Investigators later traced the activity to the Cl0p ransomware group, which harvested personal data from thousands of organizations.

The breach compromised names, addresses, Social Security numbers, driver’s license numbers and financial details stored in approximately 60,000 files belonging to Delta Dental customers. New York’s DFS concluded that Delta Dental’s policies, procedures and technical controls did not meet the requirements of 23 NYCRR 500, the state’s cybersecurity regulation. As part of a settlement, Delta Dental agreed to pay a $2.25 million civil penalty and to implement a corrective action plan overseen by the department.

The fine signals that regulators will hold companies accountable for inadequate safeguards, even when the initial exploit originates in a third‑party service. For Delta Dental, the penalty adds to remediation costs and may trigger additional scrutiny from other state agencies and potential class‑action litigation. The case underscores the growing emphasis on third‑party risk management within financial‑services cybersecurity frameworks.

Patch MOVEit Transfer immediately to address CVE-2023-34362 and apply all subsequent security updates from Progress. Enforce network segmentation so file‑transfer servers cannot reach internal databases directly. Deploy outbound traffic monitoring and anomaly detection to spot large, unusual data transfers consistent with MITRE ATT&CK T1041 (Exfiltration Over Command and Control Channel). Review and update vendor‑risk assessments to verify that third‑party providers maintain equivalent security controls. Ensure logging and retention policies satisfy 23 NYCRR 500 §500.04, and conduct regular tabletop exercises that simulate supply‑chain attacks.