“I like to move it, move it,” goes the song by those pioneers of American hip house, Reel 2 Reel. It may as well have become the unofficial anthem of the Cl0P ransomware gang in June. As early as March, the Russian hacking collective began exploiting an SQL injection vulnerability in the MOVEit file transfer service, widely used by public sector organisations and major companies. The extent of the damage that Cl0p had wrought only began to emerge in June, however, with cybersecurity company Rapid7 reporting some 2,500 instances of data being exposed online. 

An abstract representation of the file transfer process gone wrong, used to illustrate a story about MOVEIt.
The file transfer process, as imagined by AI. A vulnerability in the file transfer service MOVEit that was exploited by the Cl0P ransomware organisation led to hundreds of data breaches around the world. (Photo by Shutterstock)

It only got worse. On 5 June, British Airways (BA), the BBC and Boots were all impacted by a cyberattack on the payroll company Zellis. Thousands of employees’ personal details were exposed, a breach directly linked at the time to the exploitation of the MOVEit vulnerability (two days later, BA and BBC received the customary ransomware demand from Cl0p.) By 15 June, oil conglomerate Shell had been impacted, alongside financial services providers First National Bank, Putnam Investments and 1st Source. Ransom demands appeared to peak toward the end of the month with Cl0p naming and shaming Siemens Energy and Schneider Electric as the latest victims of what now appeared to be one of the largest cyberattacks in history – though others would continue to emerge as the year continued. 

MOVEIt and get aboard the AI hype train

June was also a big month for the UK government’s AI ambitions. On 8 June it announced its convening of the first global AI summit, a chance for world leaders to meet and hash out the rules of the road for a technology that many thought had the potential to either upgrade the global economy or destroy it. As such, risk mitigation was top of the agenda. Discussions at the summit, the UK government said, would cover risks associated with “frontier systems, and discuss how they can be mitigated through internationally coordinated action”. 

It doubled down on this commitment to shaping AI safety research later in the month by announcing some £50m in additional funding. Other government tech measures won fewer plaudits. On 19 June, NHS England was urged by campaign groups Foxglove and the Doctor’s Association UK (DAUK) to reconsider its tender for the Federated Data Platform (FDP), a massive IT project designed to knit together the scattered data repositories of the British health service into one, unified whole. 

Rationality in data analysis was a noble aspiration, said Foxglove and DAUK, but they argued that the government’s approach to enlisting public support for the data collection that the project demanded was notably ham-fisted. That mattered a lot more, they continued, as the prospective winner of the contract to run the FDP was Palantir, a US tech company founded by an entrepreneur with an especially dim view of the NHS (this prediction was later to be proved right.) 

Foxglove also claimed from the results of a survey it commissioned on the matter that the majority of the public would not support a project so integral to the running of the health service to be managed by a private company to begin with. That would have therefore made it unlikely that the FDP would be able to provide useful insights about population health, among other insights, as its supporters claimed. 

More from June 2023: