The U.S. investment advisory division of a Canadian-headquartered bank is among the latest companies to admit it was sideswiped by the exploitation of a zero-day vulnerability in Progress Software’s MOVEit file transfer application.
Scotia Wealth Management, part of the Bank of Nova Scotia, acknowledged in a letter filed with the state of Massachusetts that personal information held by its Scotiatrust estate planning service was copied by a hacker who compromised the server of consulting company Ernst and Young LLP (EY).
“We contracted EY to provide Scotiatrust with routine testing to verify compliance
[of Scotiatrust systems] with U.S. government regulations for tax reporting and withholding. Client information was provided to EY to facilitate this testing,” the letter explains.
“We have been in regular contact with EY to determine the impact to your information and provide any information we can to assist in the investigation.
“EY has informed us that the following information of affiliated individuals may have been exposed: name, date of birth, address, phone number, social security number, driver’s license, and/or passport information. Investment holdings and account balances were not exposed and Scotiabank systems were not directly compromised in this incident.”
The letter doesn’t say how much data was copied, how many people are affected, or whether Canadian customers were affected as well.
Asked over the weekend for comment, Katie O’Dell, director of communications for Scotiabank global wealth management, emailed this statement: “This cybersecurity incident that occurred at a third-party vendor impacted a limited number of our clients that hold custody accounts with Scotiatrust. We are working closely with all parties to support the investigation and have notified all impacted clients.”
Asked whether Canadian customers were also affected, O’Dell said the bank had no further comment.
According to a count by researchers at Emsisoft, over 680 organizations and potentially millions of their customers or employees have been directly or indirectly impacted by the exploitation of the MOVEit vulnerability. It was discovered by the Clop ransomware gang, which began exploiting the hole in May.
An organization is directly impacted when data of its customers or employees is stolen, and indirectly when customer or employee data that it shipped to a third party was stolen from that processor.
That means an organization can be victimized a number of times, depending on the number of data outsourcers it uses. Colorado State University (CSU), for example, was indirectly hit six times: The National Student Clearinghouse, the Teachers Insurance & Annuity Association (called TIAA), Corebridge Financial, Genworth Financial, and insurers The Hartford and Sun Life all had CSU student, faculty or employee data when either their MOVEit servers were compromised or the servers of their outsourcers were hit.
Sun Life doesn’t use MOVEit. But it said when the MOVEit server of one of its partners, Pension Benefit Information, LLC (known as PBI) was hacked, some personal information of customers that Sun Life had shipped to PBI was copied. Sun Life, like many American organizations, uses PBI to regularly check government and corporate databases to determine if benefits are properly paid to beneficiaries.
Another example: Last week, the Missouri Department of Social Services notified an unknown number of people receiving Medicaid in the state that data sent to IBM Consulting for processing had been copied in a MOVEit hack. The data included names, department client numbers, dates of birth, possible benefit eligibility status or coverage, and medical claims information.
Another example, also involving IBM: On Friday, Colorado’s Department of Health Care Policy and Financing said in a regulatory filing that data of 4 million residents were copied when IBM’s MOVEit server was hacked in May. The files contained certain Health First Colorado and CHP+ members’ information. The information could have included names, Social Security numbers, medical information, and health insurance information.
EY isn’t the only major accounting/consulting firm hit. So were Deloitte and PwC.
Meanwhile, the Clop gang, which has been demanding money from victim firms to get their data back, has promised to start publicly releasing stolen data from organizations that aren’t co-operating tomorrow.
Depending on its nature, says Emsisoft researcher Brett Callow, exfiltrated data may represent a risk not only to the organization from which it was stolen, but also to its customers and business partners, as the information can potentially be used for identity fraud, in BEC attacks, and more. “The risk of misuse exists from the moment data is improperly accessed, but is amplified when it’s leaked as, at that point, the information becomes available to other cybercriminals.”