A single SQL injection vulnerability in a piece of file-transfer software triggered a cascading breach that hit more than 2,600 organisations worldwide, exposing data from US government agencies, British Airways, the BBC, pension funds, and tens of millions of ordinary people.
On the last day of May 2023, a ransomware gang known as Cl0p did something unusual. Instead of deploying their signature file-encrypting malware — the kind that locks up hospital systems or factory floors and demands payment to restore access — they simply... took data. Quietly. From thousands of organisations at once. And then they waited.
The tool that made this possible was MOVEit Transfer, a piece of enterprise software made by a company called Progress Software. MOVEit is the kind of product most people have never heard of, but which sits at the heart of how large organisations share sensitive files. Payroll processors use it to send employee data to clients. Government agencies use it to transfer case files. Healthcare companies use it to move patient records. For years, it worked exactly as advertised.
What nobody knew — including Progress Software — was that MOVEit contained a critical SQL injection vulnerability. SQL injection is one of the oldest and most well-understood attack categories in cybersecurity: an attacker crafts malicious input that gets interpreted as database commands rather than data, allowing them to read, modify, or exfiltrate information the application was never meant to expose. The MOVEit flaw meant that anyone who knew about it could, in effect, walk in the front door of any organisation running MOVEit's web interface, tell the database to hand over its contents, and walk back out — without ever triggering an alarm.
Cl0p had been sitting on this vulnerability, or something close to it, for months. When they finally moved, they hit thousands of organisations in a matter of days.
Cl0p (sometimes written "CL0P" or "Clop") is a Russian-speaking ransomware gang that has been operating since at least 2019. Unlike some criminal groups that operate opportunistically, Cl0p has shown a consistent interest in targeting file-transfer software — the kind of product that, if compromised, can expose data from many different organisations simultaneously. Before MOVEit, they had exploited vulnerabilities in Accellion FTA file transfer appliances and GoAnywhere MFT, another managed file transfer product. The pattern was deliberate.
Several alleged Cl0p members have been identified and in some cases arrested over the years — Ukrainian law enforcement, working with international partners, conducted raids in 2021 that were described as targeting the group. But ransomware gangs are resilient; arrests of peripheral members rarely disrupt core operations, and Cl0p continued operating through and after those actions.
The group's approach with MOVEit differed from typical ransomware operations in a meaningful way. Traditional ransomware attacks are loud: files get encrypted, systems go down, the victim knows immediately that something is wrong. The MOVEit campaign was silent by design. Cl0p's goal was data exfiltration — taking copies of sensitive files — rather than encryption. This meant victims often didn't know they'd been breached until the gang started publishing data or making extortion demands, sometimes weeks later.
This approach also reflected a strategic evolution. Cl0p's demands were directed at individual victim organisations, not at the MOVEit software vendor. Progress Software had written the vulnerable software, but Cl0p wasn't demanding payment from Progress — they were demanding payment from every healthcare provider, pension fund, and government agency that had been running that software and whose data was now in Cl0p's hands.
The technical details of the MOVEit vulnerability — designated CVE-2023-34362 — are worth understanding in broad terms, because they illustrate how devastating a single software flaw can be when it lives in widely-deployed infrastructure.
MOVEit Transfer runs a web application that allows authorised users to log in and manage file transfers. That web application communicates with a backend database. The vulnerability existed in how the application processed certain inputs — specifically, it failed to properly validate or sanitise data submitted through the application's web interface. An attacker who knew the structure of the input expected by the application could craft a request containing SQL commands rather than ordinary data. Those commands would then be executed by the database, allowing the attacker to read data from tables that stored file contents, user credentials, and transfer logs.
What made this particularly dangerous was that the vulnerability was exploitable without authentication. An attacker didn't need a valid username or password to exploit it. They simply needed to know the URL of a MOVEit Transfer server — which, for many organisations, was publicly accessible over the internet — and send a specially crafted request.
Progress Software released a patch on June 9, 2023, shortly after the flaw was publicly disclosed. But by then, Cl0p had already been exploiting it for days, and the damage was done. Many organisations had been compromised before they even knew a patch existed.
The scale of the MOVEit campaign was staggering. By the end of 2023, researchers and journalists tracking the incident had identified more than 2,600 organisations that had been affected either directly (running MOVEit themselves) or indirectly (having their data stored by a MOVEit-using vendor). The total number of individuals whose data was exposed exceeded 77 million by some estimates — though the true figure is difficult to verify because many victims did not disclose specifics.
The range of affected organisations illustrated exactly why supply chain attacks are so devastating.
The US federal government was among the most prominent victims. The Department of Energy confirmed that records from two of its entities — Oak Ridge National Laboratory and the Waste Isolation Pilot Plant — were compromised. The Office of Personnel Management, which holds federal employment records, was also affected through a contractor. Several other agencies were hit through third-party vendors.
British Airways confirmed that employee data had been exposed. The BBC confirmed similar exposure of its staff information. Both organisations used Zellis, a payroll services company, which in turn used MOVEit. This is a key feature of the supply chain problem: British Airways and the BBC were not running MOVEit. They had contracted payroll processing to a company that was. Their employees' data was exposed through no decision of their own.
Shell, the energy giant, confirmed it had been affected. Boots, the UK pharmacy chain, confirmed employee data was exposed. Aer Lingus confirmed its staff data was compromised.
Pension funds were hit hard. The Teachers Insurance and Annuity Association (TIAA) was affected. The California Public Employees' Retirement System (CalPERS) and the California State Teachers' Retirement System (CalSTRS) were both hit through a third-party vendor, PBI Research Services, affecting approximately 769,000 retired public employees. These were people who had no relationship with MOVEit, no knowledge of it, and no ability to protect themselves from a vulnerability in software run by a company they'd never heard of.
Healthcare organisations were among the most severely affected. Maximus, a government contractor that processes Medicaid, Medicare, and student loan data, disclosed that data for up to 11 million individuals had been compromised. The Louisiana Department of Health and the Oregon Department of Human Services were affected through state government systems.
Universities and educational institutions across the US and UK were hit. Student data, faculty records, financial aid information — all of it moved through MOVEit at various points.
Cl0p's approach to monetising the MOVEit breach was methodical. After the initial exfiltration period, the group began making contact with victim organisations, demanding payment to prevent the publication of stolen data. For organisations that refused or didn't respond, Cl0p published data in batches on their dark web leak site.
The payment demands varied widely — reports suggested demands ranging from hundreds of thousands to tens of millions of dollars, depending on the apparent size and value of the data taken. Some smaller organisations received demands in the $100,000 range. Larger targets received demands that appeared calibrated to their perceived ability to pay.
Few organisations publicly confirmed whether they paid. The UK's National Cyber Security Centre strongly advised against paying ransoms or extortion demands, a position echoed by the FBI and CISA. Payment doesn't guarantee data won't be published anyway, funds criminal operations, and marks the payer as willing to pay — potentially attracting future attacks.
The MOVEit breach is the defining example of what cybersecurity professionals call a supply chain attack, and understanding why it's so destructive requires understanding the relationship between software vendors and their customers.
When you run software made by another company, you're implicitly trusting that company's security practices. You're trusting that they've tested their code, that they have a process for finding and fixing vulnerabilities, and that they'll notify you promptly when something goes wrong. For most commercial software, that trust is largely invisible — you install it, it runs, and you don't think much about what's happening inside it.
But that trust creates a profound asymmetry. A criminal group that finds a vulnerability in widely-deployed software doesn't need to attack each victim individually. They can attack the software itself — or, more precisely, exploit the vulnerability in the software — and gain access to all of that software's users simultaneously. The attacker does the work once; the damage multiplies across thousands of victims.
This is qualitatively different from how most people think about cyber attacks, where a specific organisation is targeted because of something about them — their industry, their data, their perceived wealth. Supply chain attacks don't require that. The victims of MOVEit had nothing in common except that they, or one of their vendors, happened to be running a particular piece of software.
As we noted in our coverage of the Colonial Pipeline attack, critical infrastructure and essential services are frequently exposed through exactly this kind of indirect vulnerability — not because the organisations themselves were negligent, but because modern IT environments involve intricate webs of software and service dependencies.
The nature of the data exposed in MOVEit varied by organisation, but the common thread was sensitivity. MOVEit was used specifically to transfer important files — payroll data, benefits information, healthcare records, legal documents, tax filings. The organisations running it weren't using it to shuffle around marketing materials.
The most common data categories exposed included:
For the tens of millions of individuals affected, the risk profile depended on exactly whose data was taken and what it contained. Someone whose Social Security number and banking details were exposed through a payroll processor is at substantial risk of tax fraud and account takeover. Someone whose healthcare records were exposed faces privacy violations and potential insurance discrimination in jurisdictions where such protections are weaker.
Progress Software faced numerous lawsuits from affected organisations and individuals. Regulatory bodies in multiple countries launched investigations. The US Cybersecurity and Infrastructure Security Agency (CISA) issued guidance and worked with affected federal agencies. The UK's Information Commissioner's Office received mandatory breach reports from dozens of UK-based organisations.
Cl0p continued operating. Despite the extraordinary scale of the MOVEit campaign, the group was not dismantled or significantly disrupted in its aftermath. Several members remained unidentified; those who were identified operated from jurisdictions where extradition to the US or UK was not practical.
Progress Software released patches, conducted security reviews, and improved their vulnerability disclosure processes. But for the 2,600+ organisations that had already been compromised, those improvements were retrospective. Their data — and the data of their customers and employees — was already gone.
If you received a breach notification connected to the MOVEit incident — whether from a government agency, an employer, a pension fund, or any other organisation — you should treat the exposed data as permanently compromised. This is not a risk that resolves itself.
For individuals, the priorities are the same as with any exposure of Social Security numbers or financial details: place a credit freeze with all three major bureaus, monitor your credit reports regularly, and be alert to signs of tax fraud (such as a rejection from the IRS for a return that appears to have already been filed).
For organisations, the MOVEit incident should prompt hard questions about supply chain risk. Every piece of software your organisation runs, every vendor you share data with, represents a potential exposure point. The questions worth asking: Do we know what third-party software handles our most sensitive data? Do we have processes in place to patch that software rapidly when critical vulnerabilities are disclosed? Do we know which vendors have access to our customer or employee data, and what their security practices look like?
The answers, in most organisations, are more uncomfortable than anyone would like.
References:
A ransomware attack on a UnitedHealth subsidiary ground the US healthcare payment system to a halt, left pharmacies unable to fill prescriptions for weeks, and resulted in a $22 million ransom payment — only for the attackers to demand more.
In May 2021, a ransomware attack shut down the largest fuel pipeline in the United States, triggering fuel shortages across the East Coast. The entry point: one password, leaked from a breached account, sitting on the dark web.
In September 2023, a group of young hackers armed with nothing more than a phone and a convincing story brought one of the world's largest casino companies to its knees. This is what happened inside the MGM Resorts cyberattack.
