News + Resources

The recent breach of MoveIT file transfer site can already provide a number of lessons. 

1.  Outsourcing doesn’t mean you, your data or processes are secure; you should check the security posture of your suppliers as part of your due diligence process; 

2. Just because an exploit is old (like SQL Injection), doesn’t mean it can’t work – but it is embarrassing that the vulnerability had not been spotted before;   

3. As with the NotPetya attack, the supply chain vulnerability was carefully thought through: hit one, hit many; 

4. The timing (over the Memorial Day weekend) was clearly intentionally chosen for diminished concentration; 

5. While breaches are always good for lawyers, it will be interesting to see how liability falls:  will MoveIT’s terms and conditions be found to absolve it of all liability?  Or are we about to see a string of lawsuits aimed at MoveIT? 

Is it me, or does the practice of sending huge files full of sensitive information over the internet seem a bit 20^th Century?  It is perhaps a step up from sending USB sticks in the mail.   The absence of encryption is also worrying – personal data should always be encrypted. Managed File Transfer sites are getting popular with hackers; GoAnywhere (another file transfer site) was attacked in February, and 130 organisations had their data ransomed. Although the exploit was different, the attack method was attributed to the same Ransomware as a Service (RaaS) gang and MoveIT (Clop). 

So, if you use MFT sites, be sure you understand the risks and liabilities – protect your data – and require your supplier to confirm that they are doing so too. 

As ever, we at Astaara stand ready to support our clients through their cyber journey. #resilienceandrecovery