The Biggest Cyber Hack of 2023 Consumers Don’t Know About

Chances are you’ve never heard of MOVEit. Sure, you’ve probably been told aggressively to move it along, but I’m not here to walk you through those situations. And no, I didn’t spell that wrong or accidentally hit all caps.

What is IT? 

I’m actually referring to Progress Software’s application called “MOVEit.” 

MOVEit is a secure file transfer software that is used by a variety of companies. Primary users are financial organizations—think banks, credit unions, brokerages, loan administrators, etc. and educational institutions. 

These organizations often have to transfer highly confidential information between systems, subsidiaries, and partner organizations. Because the data transferred typically contains Personally Identifiable Information (“PII”), it must be transferred securely. This is often governed by compliance requirements. 

MOVEit is a popular solution that securely transfers this data on behalf of customers. With more than 1,700 software companies and 3.5 million users worldwide relying on its services, MOVEit Transfer is a key player in the managed file transfer ecosystem.

So, you can imagine the issues raised when a security vulnerability in MOVEit was discovered and exploited in late 2022. To make matters worse, IT administrators are either unaware of the danger or too slow in patching it. One estimate notes, “around 1,841 organizations have disclosed breaches, but only 189 of them have specified how many individuals were impacted by the incident. From these detailed disclosures, Emsisoft has found that more than 62 million individuals had their data breached as part of the MOVEit spree.”

You’ve likely heard about the MGM hack that occurred earlier this year. Well, the impact of MOVEit dwarfs that by comparison. As of this writing, over 800 organizations have been victimized by cyber attacks exploiting MOVEit’s vulnerability and as of August 2023, over 60 million individuals have been impacted.

This Time, It’s Personal

As a Solution Engineer for Intelisys, part of my job (and my passion) is keeping up with current cybersecurity threats. I have been tracking the MOVEit story since February and advising many of you about how you can help your customers protect against and overcome the threat. 

But in this instance, it got real personal for me about a month ago. 

I purchased my first home in August 2022. It was a very exciting time for my family and a big step forward. I knew I didn’t know everything about real estate purchases then. Since then, I have learned that it is a common practice for a lender to sell your home loan to another lender, which happened to us. “Not a big deal,” I thought at the time, “It’s just a different name on the check I write every month.” 

As anyone who’s purchased a home knows, there is a lot of research that goes into selecting your initial mortgage lender. At first, I was just annoyed that I had wasted a lot of time, and here I was, contracted with a company I knew nothing about. But still, happens all the time. No big deal. 

And then, it happened.  

I was listening to a cybersecurity podcast a few weeks later, and lo and behold, I learned that my new lending company was hit by a cyber-attack exploiting the MOVEit vulnerability. Now, my personal information was in the hands of a sophisticated cybersecurity gang. 

Worse, I found out from that podcast, not my lender. And even today, they still haven’t formally notified me that they were hit. 

My experience reminds me of how many organizations view cybersecurity and risk…”We’ll address it when we have a problem.” What this experience has exposed to me is that I need to tighten down the screws on my family’s cybersecurity posture because we now have the cross hairs right on top of us when in fact, they always were. Even as I write that sentence, I think, “Only a nerd would put it that way.” 

What’s Your Opportunity? 

You may be thinking, “have I been hit as well?!?” Maybe, and I will address that in the post script.  

But what’s really important is the business opportunity this presents for you. Your customers need the impartial advisory services you bring them on this subject. Your starting point is as simple as looking through your book of business, reaching out to your customers in the Financial and Education segments, and simply asking if they are using MOVEit. If the answer is yes, are they aware of the breach, and if they are, have they patched their systems?

This, however, only addresses the symptoms, not the problem. The real problem is the failure to recognize the impacts of “Third Party Risk.” This is also known as the vendor or supply chain risk. 

What Is Third Party Risk and How Is It Addressed?

This is a category of risk that examines how a company is impacted by the tools and partners they engage with that they don’t have total control over. For example, suppose your customer hosts customer data in Salesforce. In that case, they expose their business to a data breach if Salesforce suffers a security breach. 

Suppose your customer uses secure file transfer software to move sensitive customer data, and that software has a vulnerability. In that case, they are opened up to exploit, which is exactly what happened in the case of MOVEit. 

Here’s why it matters: If your customers are not tracking the risk level of third-party associations, they will have no clue where their controls and mitigations need to be tighter.  

The good news? Third-party risk management SaaS solutions, combined with advisory services, can help your customers track all vendor relationships, how critical they are, what kind of service they provide you, and due diligence information about the vendor. 

This due diligence information could be a copy of their business insurance certification, cybersecurity certifications (like ISO 27001 or SOC II), or internal policies and processes for dealing with a breach. These solutions often include tabletop exercises for your teams to understand how they would react in a cybersecurity incident.  

And, you guessed it, all these solutions are available in our supplier portfolio. 

What Should I Do Next?

If you feel prepared to converse with your customers about cybersecurity or risk management, call them! If you don’t, contact us, and we will join you and support that conversation. This is a benefit of being a Sales Partner with us: you can access Solution Engineers with this expertise. We welcome the opportunity. 

As promised above, I’ve got advice for you if your personal information has been compromised. 

  1. Start here to see if you have been hit. 
  2. Purchase an Identity Protection solution. There are many different ones out there – the primary differentiator I have seen is whether they provide a dedicated agent to assist you if your identity is stolen.
  3. Freeze your credit and only unfreeze it when you need it. This can be done from any of the three main credit bureau’s websites (Experian, Equifax, and Transunion). This prevents bad actors from taking out loans and credit cards in your name.
  4. Enable Multifactor Authentication everywhere, but most critically, on your email and online banking accounts.
  5. Use a password manager. As an IT admin, I have had to deal with 100s of admin-privileged accounts simultaneously, and a password manager has streamlined that incredibly. (make sure MFA is turned on for your password manager!) …and do not use the password manager built into your web browser.

Pay attention to Security Awareness Training! I know it’s lame, and many people find it boring or a waste of time, but there are gems in those programs to remain safe. Don’t throw the baby (Security Awareness Training) out with the bathwater (bad acting in poorly edited educational videos)

Items three through five above are all enterprise solutions we can help source for you or your customers. Instead of number one, you can now source cybersecurity insurance for your customers through our Supplier Portfolio. Reach out to your Business Development Manager or Solutions Engineer for more information, and remember, friends don’t let friends get hacked.

Continued Learning   

Continued Reading   

Start Marketing   

Ken Mills

President

Ken Mills serves as President of Intelisys and is committed to driving growth for Intelisys and our partners. As a distinguished technology executive with over two decades of experience, Ken has previously held leadership roles at EPIC iO, Dell Technologies and Cisco, and served as a fellow with the U.S. Department of State. His strategic mindset has been an integral part of launching innovative products and solutions in the fields of AI, IoT, and 5G. Ken is driven by his curiosity and passion for groundbreaking technology and complex problems, and constantly explores new frontiers in the world of technology.

Monica Lutes

Manager, People & Culture, ScanSource, Inc. and Intelisys

As Manager, People & Culture, Monica has worked closely with Intelisys employees and leaders since 2018 and has worked with ScanSource companies since 2016. A Human Resources professional with 11 years of experience encompassing all areas of HR, especially employee relations, recruiting, compliance, and training, Monica approaches her role as Manager, People & Culture from a consultative perspective. Her goal is to provide advice and guidance to leaders so they can focus on growing the best teams for the business while also supporting employees’ goals.

Ansley Hoke

SVP Marketing, ScanSource, Inc. and Intelisys

Ansley Hoke is the Senior Vice President of Marketing at ScanSource, Inc., a role she has held since 2019, and extended her leadership to include Intelisys in 2023. She joined the company in 2001, serving in merchandising leadership roles for ScanSource POS and Barcode, including acting Vice President of Merchandising and then later VP of Merchandising for ScanSource Catalyst and overall VP of ScanSource Catalyst. She oversaw sales, supplier relations, and services. Known for her pivotal role in creating effective marketing strategies, Ansley has been integral in driving demand, enhancing partner programs, and significantly contributing to the company’s revenue growth and channel relationships.

Mike Baur

CEO of ScanSource, Inc. and Interim President of Intelisys

Mike Baur serves as Chairman and Chief Executive Officer at ScanSource. Mike has served as the Company’s President or CEO since its inception, as a director since December 1995, and as Chairman of the Board since February 2019. Mike has developed a deep institutional knowledge and perspective regarding ScanSource’s strengths, challenges and opportunities. He has more than 30 years of experience in the IT industry, having served in various leadership and senior management roles in the technology and distribution industries before joining ScanSource. Mike brings strong leadership, entrepreneurial, business building and development skills and experience to the Board.

Stephanie Bouras

Regional Vice President, Southeast

Driven by a partner-first philosophy and a passion for innovation, Bouras embodies a leadership style that’s both compassionate and data-driven. As the Regional Vice President, Southeast, at Intelisys, she’s leveraged her extensive marketing and sales experience to propel her team to new heights. A firm believer in aligning herself with her partners, she sees herself as a collaborator and an integral part of their business. This perspective has allowed her to forge deep connections and drive success. A Florida native, Stephanie’s attention to detail and unwavering commitment to her partners have been key factors in her success.

Michael Raspanti

Regional Vice President, Northeast

Michael joined Intelisys in June of 2020, as a long-time channel veteran. He is responsible for leading the Northeast Region, helping continue the tremendous momentum in one of our strongest markets while also recruiting new up and coming partners that will be the growth engine of our future success.

Kristy Thomas

Vice President, Partner Experience and Enablement

Thomas is responsible for Sales Partner enablement and education for all our technology segments, including CX, managed security, mobility, and connectivity. With over 20 years of executive background in telephony, UCaaS, CCaaS and Cloud services, Kristy enables her customers to think broader and deeper as she guides them through their decision journey. Some of the biggest deals in the channel have become a reality thanks to the expertise and humble excellence Kristy brings to her client’s projects.