View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Serco confirms data on 10,000 people was stolen in a MOVEit Transfer vulnerability breach

It is the second US government contractor in a week to be hit by hackers from the Cl0p ransomware gang.

By Claudia Glover

Serco’s US division has seen data on 10,000 people stolen as part of the ongoing cyberattack exploiting a vulnerability in popular file transfer platform MOVEit Transfer. The outsourcing company is the latest victim of the attack, which has hit some of the biggest names in business. The disclosure comes days after US government contractor Maximus said healthcare information on up to 11 million people may have been stolen as part of the attack.

Moveit transfer vulnerability
Serco falls victim to cyberattack through MOVEit Transfer vulnerability. (Photo by IgorGolovniov/Shutterstock)

Information stolen by the hackers, thought to be Russian ransomware gang Cl0p, from Serco includes names, dates of birth, home addresses, social security numbers, personal and professional email addresses and some health benefit information, a breach disclosure notice said.

Serco operates across 35 countries, including the UK, employing over 50,000 people. It reported revenue of $5.7bn in 2022.

MOVEit Transfer vulnerability hits Serco

Serco disclosed the breach this week to the Maine Attorney General’s Office, admitting that the data of over 10,000 people had been stolen through an “external system breach (hacking)”. 

The notification says that the data was taken via one of Serco’s suppliers, CBIZ, which provides HR and accountancy services and used MOVEit Transfer’s platform to transfer data.

Serco became aware of the incident on 30 June, more than a month after it took place. The disclosure notification says: “We understand from CBIZ that the incident began in May 2023 and CBIZ took steps to mitigate the incident on 5 June 2023. To be clear, the breach of CBIZ’s systems did not affect the safety and security of Serco’s systems.”

Serco supplies services to the Departments of Homeland Security, State and Justice, US federal agencies and branches of the US Armed Forces, including the Navy, Army, Air Force and Marine Corps. Corporate clients of the company in the US also include Pfizer, Wells Fargo and Capital One.

Content from our partners
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business
When it comes to AI, remember not every problem is a nail

It is not known which of Serco’s customers the stolen information belongs to.

Maximus also affected by MOVEit software flaw

Serco is the second US government supplier to fall victim to Cl0p in a week, after Maxmimus, which administers programmes such as Medicard, Medicaid and welfare-to-work admitted up to 11 million patient records may have been stolen.

In an SEC report filed last week, Maximus confirmed the personal information of a “significant number” of people through the use of MOVEit Transfer. The organisation uses the software to “share data with government customers pertaining to individuals who participate in various government programs”, the filing states.

The company says the stolen data contains personal information including social security numbers and protected healthcare information. It has started to inform those affected and expects the incident to cost $15m to investigate and remediate. 

Tech Monitor has contacted Serco and Maximus for comment but has had no response from either, at the time of writing.

The MOVEit Transfer vulnerability attack

Cl0p is thought to have discovered the MOVEit Transfer vulnerability earlier this year, and began its attack in May. Security vendor Emsisoft believes the attack has already amassed over 500 victim companies and impacted 40 million people. The vulnerability, tracked as CVE-2023-34362 is an SQL injection vulnerability that has the potential to allow an unauthenticated attacker to gain access to MOVEit Transfer databases. 

Its highest-profile victims so far include Shell, British Airways, the BBC, the Discovery Channel and Estee Lauder. On Thursday a tranche of 38 victims was added to its dark web victim blog including published screenshots of sample data from all the victims involved. 

According to online cybercrime tracker DarkFeed, Cl0p was the most active ransomware gang in the world last month, with 170 attacks, compared to 48 from the next busiest group, LockBit. 

Read more: Capita expects £25m costs from cyberattack

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.