Serco’s US division has seen data on 10,000 people stolen as part of the ongoing cyberattack exploiting a vulnerability in popular file transfer platform MOVEit Transfer. The outsourcing company is the latest victim of the attack, which has hit some of the biggest names in business. The disclosure comes days after US government contractor Maximus said healthcare information on up to 11 million people may have been stolen as part of the attack.
Information stolen by the hackers, thought to be Russian ransomware gang Cl0p, from Serco includes names, dates of birth, home addresses, social security numbers, personal and professional email addresses and some health benefit information, a breach disclosure notice said.
Serco operates across 35 countries, including the UK, employing over 50,000 people. It reported revenue of $5.7bn in 2022.
MOVEit Transfer vulnerability hits Serco
Serco disclosed the breach this week to the Maine Attorney General’s Office, admitting that the data of over 10,000 people had been stolen through an “external system breach (hacking)”.
The notification says that the data was taken via one of Serco’s suppliers, CBIZ, which provides HR and accountancy services and used MOVEit Transfer’s platform to transfer data.
Serco became aware of the incident on 30 June, more than a month after it took place. The disclosure notification says: “We understand from CBIZ that the incident began in May 2023 and CBIZ took steps to mitigate the incident on 5 June 2023. To be clear, the breach of CBIZ’s systems did not affect the safety and security of Serco’s systems.”
Serco supplies services to the Departments of Homeland Security, State and Justice, US federal agencies and branches of the US Armed Forces, including the Navy, Army, Air Force and Marine Corps. Corporate clients of the company in the US also include Pfizer, Wells Fargo and Capital One.
It is not known which of Serco’s customers the stolen information belongs to.
Maximus also affected by MOVEit software flaw
Serco is the second US government supplier to fall victim to Cl0p in a week, after Maxmimus, which administers programmes such as Medicard, Medicaid and welfare-to-work admitted up to 11 million patient records may have been stolen.
In an SEC report filed last week, Maximus confirmed the personal information of a “significant number” of people through the use of MOVEit Transfer. The organisation uses the software to “share data with government customers pertaining to individuals who participate in various government programs”, the filing states.
The company says the stolen data contains personal information including social security numbers and protected healthcare information. It has started to inform those affected and expects the incident to cost $15m to investigate and remediate.
Tech Monitor has contacted Serco and Maximus for comment but has had no response from either, at the time of writing.
The MOVEit Transfer vulnerability attack
Cl0p is thought to have discovered the MOVEit Transfer vulnerability earlier this year, and began its attack in May. Security vendor Emsisoft believes the attack has already amassed over 500 victim companies and impacted 40 million people. The vulnerability, tracked as CVE-2023-34362 is an SQL injection vulnerability that has the potential to allow an unauthenticated attacker to gain access to MOVEit Transfer databases.
Its highest-profile victims so far include Shell, British Airways, the BBC, the Discovery Channel and Estee Lauder. On Thursday a tranche of 38 victims was added to its dark web victim blog including published screenshots of sample data from all the victims involved.
According to online cybercrime tracker DarkFeed, Cl0p was the most active ransomware gang in the world last month, with 170 attacks, compared to 48 from the next busiest group, LockBit.