Ransomware Group Recordsdata SEC Grievance Over Sufferer’s Failure to Disclose Information Breach
A infamous ransomware group has filed a grievance with the US Securities and Alternate Fee (SEC) over the failure of a sufferer to reveal an alleged knowledge breach ensuing from an assault carried out by the cybercrime gang itself.
The ransomware group often called Alphv and BlackCat claims to have breached the programs of MeridianLink, a California-based firm that gives digital lending options for monetary establishments and knowledge verification options for shoppers.
The cybercriminals declare to have stolen a major quantity of buyer knowledge and operational info belonging to MeridianLink, and they’re threatening to leak it except a ransom is paid.
In an obvious effort to extend its probabilities of getting paid, the malicious hackers declare to have filed a grievance with the SEC in opposition to MeridianLink, accusing the corporate of failing to reveal the breach inside 4 enterprise days, as required by rules introduced by the company in July.
BlackCat printed screenshots on its leak web site on November 15 to point out that the grievance has been filed and acquired by the SEC.
This seems to be the primary time a ransomware group has filed an SEC grievance in opposition to one in every of its victims.
The hackers instructed DataBreaches.net that the assault in opposition to MeridianLink — which allegedly didn’t contain file-encrypting ransomware, solely knowledge theft — was carried out on November 7 and it was found the identical day.
Nonetheless, MeridianLink instructed DataBreaches.web that the intrusion occurred on November 10.
“Upon discovery on the identical day, we acted instantly to include the menace and engaged a group of third-party specialists to analyze the incident. Based mostly on our investigation thus far, we’ve recognized no proof of unauthorized entry to our manufacturing platforms, and the incident has induced minimal enterprise interruption,” the corporate mentioned, including that it can’t share additional particulars on account of its ongoing investigation.
It’s price stating that the brand new SEC knowledge breach disclosure guidelines will solely go into impact in mid-December 2023. As well as, firms will likely be required to inform the SEC inside 4 enterprise days of figuring out {that a} cybersecurity incident is materials to buyers, which, based mostly on MeridianLink’s assertion, has but to occur.
Contacted by SecurityWeek, an SEC spokesperson declined to remark.
BlackCat has been one of the crucial energetic ransomware operations and it’s not unusual for the group to attempt new strategies for convincing targets to pay up, together with by establishing dedicated leak websites for particular person victims.
*up to date to say that the SEC declined to remark
Associated: BlackCat Ransomware Targets Industrial Companies
Associated: Western Digital Confirms Ransomware Group Stole Customer Information