Every Wealth Manager Needs to Know About MOVEit
Advisor Perspectives welcomes guest contributions. The views presented here do not necessarily represent those of Advisor Perspectives.
Many of you have likely never heard of MOVEit, Progress Software, or cl0p. But you may not have heard of the MOVEit breach that affected every college student in the United States, anyone who lives in Louisiana, current and former teachers, and nearly every annuity holder. Class action lawsuits have already been filed with Fidelity and Schwab/TD as defendants. Emisoft reported over 1,160 firms affected and the personal information of over 60 million people is in the hands of cybercriminals.
The MOVEit breach affected the clients of every wealth manager in America.
This article is not hyperbole or written to scare the reader. My article will cover:
- Defining the breach in executive terms;
- The meaning of the breach to your clients and your firm;
- The steps you can recommend for your clients today; and
- The steps that you can take to protect your firm and your employees.
What is MOVEit?
MOVEit is a software program owned by Progress Software. The program is used to move sensitive information from one organization to another. It is called file transfer software because it transfers the files between two organizations. The software is marketed as a secure managed-file-transfer application. Its marketing materials say that it is an essential ingredient in meeting HIPAA, GDPR, and ISO 27001 compliance. It is called “secure” because MOVEit encrypts the data at the source on its server. Then it encrypts the data by sending it over a secure file transfer capability. MOVEit also uses mult-factor authentication (MFA) to provide an extra layer of security when entering credentials to access the software. MOVEit is called “managed” because it creates an entry for nearly every event that happens in the software in an audit log. Think of an audit log like a captain’s log (Star Trek fans) in that it has an entry for every major event and every day. We’ll come back to the audit log a bit later.
Progress Software has been in business since 1981 when it was started by four Massachusetts Institute of Technology graduates. The company acquired MOVEit from another Massachusetts-based company in 2019. Progress is a well-known, respected, and trusted company in the enterprise-software space.
MOVEit is successful software
MOVEit is very popular for industries that need to transfer sensitive information between the company and service providers. You can understand how MOVEit, with its marketing as a compliant file-transfer solution, was very popular for governments, financial services firms, and healthcare companies. In fact, over 30% of MOVEit’s clients were financial services firms. MOVEit was used by over 1,700 companies and by over 3.5 million developers, according to Progress Software. Its company website says its clients include Chase Bank, Disney, BlueCross BlueShield, GEICO, JetBlue, and Major League Baseball. Censys, a cybersecurity firm, performed an Internet registry search and identified 3,800 MOVEit transfer servers exposed to the internet on May 23, 2023, just before the breach.
The MOVEit breach
A security breach happens when any incident that results in unauthorized access to computer data, applications, networks, or devices. A bad actor is someone who creates an incident to exploit a vulnerability to gain unauthorized access. The bad actor in our story was cl0p, a Russian-speaking ransomware gang. Cl0p found a vulnerability in the MOVEit software where it could execute commands from a normal user input field. Imagine the phone number field in your CRM. You enter a command into the phone number field and your CRM executes that command. cl0p entered a database command, called a SQL statement, into a user input field. This type of attack is called a SQL injection attack in cybersecurity terms. The commands allowed cl0p to copy, or exfiltrate, the data in the MOVEit servers. Cl0p executed a wide cybersecurity attack on May 27, 2023, to coincide with the Memorial Day holiday in the United States. Progress issued an alert to its customers on May 31, 2023. It is entirely likely that cl0p exfiltrated data from the vast majority of MOVEit servers during the long Memorial Day weekend and in the five days between launching the attack and when Progress issued its alert. Cl0p claimed responsibility for the attack on June 5, 2023.
Log files (remember those) from the Microsoft Internet Information Services (IIS) servers of impacted customers found similar activity to the attack as early as July 2021. The commands during the July 2021 time frame appeared to run over a longer amount of time. The longer timeframe suggests that cl0p was testing a manual process to access the vulnerability. Similar activity found in log files from April 2022 showed that the commands ran in a shorter amount of time. This suggests that cl0p was testing an automated solution to its attack. The affected MOVEit customers, the companies and government agencies that had data stolen, may have seen the earlier attacks had they reviewed their log files. This attack is likely to be one of the most profitable ever for cl0p. The estimates within the cybersecurity community expect cl0p to earn up to $100 million in ransoms. This will embolden the group further to commit more widespread attacks.
MOVEit affects your clients
The National Student Clearinghouse (NSC) is the trusted source for education verification offering a nationwide collection of enrollment and degree data. You may have never heard of NSC, a national non-profit with 3,600 partner schools across the country. It provides enrollment and degree verification to the National Student Loan Data System, private employers, external scholarship organizations, and member schools to conduct prior and subsequent enrollment reviews.
NSC oversees 97% of students enrolled in public and private institutions of higher education and 70% of students enrolled in public and private high schools. The extent of data exfiltrated by cl0p is unknown. Many universities have confirmed that students’ Social Security numbers were exposed. This means that the personal information of your account beneficiaries is in the hands of cl0p.
Teachers Insurance and Annuity Association of America (TIAA) was served a class action lawsuit on August 8, 2023, alleging it failed to protect the personal information of nearly 2.4 million people that were exposed in the May data breach involving Progress Software’s MOVEit file-transfer application. This represents nearly 50% of TIAA’s 4.7 million members. It is entirely likely that if any of your clients are or were teachers, their personal information was exposed in this breach.
MOVEit was used by the Louisiana Office of Motor Vehicles. The office issued a statement outlining that its customer’s names, Social Security numbers, dates of birth, legal addresses, driver’s license numbers, and other information found on the driver’s license was exfiltrated. The state of Louisiana has an estimated 4.58 million residents, and the Office of Motor Vehicles estimates that six million records may have been exfiltrated. It is likely that licenses issued prior to a name change (for example, a maiden name) and licenses issued to residents who are now deceased may have been compromised. All your clients who reside in Louisiana must assume that all their personal information is in the hands of cl0p.
The Colorado Department of Health Care Policy & Financing (HCPF) is alerting more than four million individuals of a data breach that impacted their personal and health information. The population of Colorado is 5.8 million people. You must assume that the personal information of all your clients who currently or recently resided in Colorado is in the hands of cl0p.
These examples are only a handful of the organizations that reported their MOVEit breach.
Advice you can give clients
This article affects a portion of every wealth manager’s client base. It affects all the information that your teams use daily to verify your client and satisfy "know your customer” verifications. You can provide your clients with excellent advice when they may not understand this breach or how they can protect themselves. Provide your clients with the following advice:
- Freeze your credit
Clients have the right to freeze their credit, which limits companies from being able to access their credit report. Freezing their credit can stop identity thieves from opening accounts in their name.
- Monitor your accounts and credit
Keep an eye on your bank accounts and credit cards for any activity you don't recognize. If you receive bills in your name that aren't yours, contact the lender immediately to dispute it. You can check your credit report for free.
- Watch for phishing schemes
Phishing is a fraudulent practice in which an attacker masquerades as a reputable entity or person in an email or other form of communication. Phishing schemes will increase significantly, and they will seem more legitimate with this much personal information in the hands of bad actors.
- Change passwords
Change the passwords to all important sites. Consider using a password manager to create long, complex passwords.
- Multi-factor authentication
Enable multi-factor authentication on any website or application that supports the capability. All advisors are familiar with multi-factor authentication and can explain the benefits to your clients.
Protect your firm and employees
Your employees may also be victims depending on their prior profession or their current or past residence. In these cases, forward this article to them so that they can take the steps that I recommended for your clients. The vast amount of personal information available to criminals from this breach will lead to a large increase in impersonation attacks on financial services firms. Your firm may get bogus phone calls or emails that pretend to be your clients but are, in fact, form a criminal.
Educate your team to always verify your client’s identity when processing money transfers or trades by calling the client back using a phone number in your CRM to confirm that the request came from the client. Educate yourself and your team about cybersecurity best practices, such as identifying phishing emails, avoiding suspicious links and attachments, and using strong, unique passwords. The list of victim companies and government agencies is likely to grow sharply as we enter the fall. The number of victims will grow beyond the current 60 million. Educate your team members on this breach and what will inevitably be the long-term risk of client impersonation and increased phishing attacks that are more sophisticated.
You have spent your entire career helping your clients. This is an opportunity to provide guidance and reassurance to them. Use this opportunity to educate them and implement new cybersecurity policies in the process, such as independently verifying your client when they ask for account information or changes.
John O’Connell, founder and chief executive officer for The Oasis Group, specializes in helping wealth management and technology firms to solve their most complex challenges. His newest online training courses serve as a leading source of education for financial professionals at all levels in their careers. With modules ranging from cybersecurity to custodian markets and more, https://training.theoasisgrp.com/ enables firms and enterprises to upskill, learn at their own pace and rewatch lessons to reinforce specific learning objectives. Get an additional 20% off any course with coupon code ADVISORPERSPECTIVES.
A message from Advisor Perspectives and VettaFi: To learn more about this and other topics, check out our most recent white papers.