University System of Georgia: 800K exposed in 2023 MOVEit attack

Image: Georgia Institute of Technology Tech Tower (RobRainer)

The University System of Georgia (USG) is sending data breach notifications to 800,000 individuals whose data was exposed in the 2023 Clop MOVEit attacks.

USG is a state government agency that operates 26 public colleges and universities in Georgia with over 340,000 students.

The Clop ransomware gang leveraged a zero-day vulnerability in Progress Software MOVEit Secure File Transfer solution in late May 2023 to conduct a massive worldwide data theft campaign.

When the threat group started its extortion phase in the MOVEit attacks that impacted thousands of organizations worldwide, USG was among the first to be listed as compromised.

Almost a year later, with the help of the FBI and CISA, USG determined that Clop had stolen sensitive files from its systems and began notifying impacted people.

The notices of data breach were sent between April 15 and April 17, 2024, informing recipients that the cybercriminals accessed the following information:

Given that the number of impacted individuals is larger than the number of students under USG, and considering the type of information, the incident presumably also affects prior students, academic staff, contractors, and other personnel.

The organization submitted a sample of the data breach notice to the Office of the Maine Attorney General yesterday, stating that the data breach impacts 800,000 people.

Also, the entry on Maine's portal lists a driver's license number or identification card number as exposed data types, although these aren't mentioned in the notice.

USG now offers impacted individuals 12 months of identity protection and fraud detection services through Experian, in which the recipients are given until July 31, 2024, to enroll.

Clop's MOVEit attacks were one of the most successful and prolific extortion operations in recent history. Over a year after they took place, organizations still discover, confirm, and disclose breaches, extending the aftermath.

Emsisoft's dedicated counter of MOVEit victims lists 2,771 impacted organizations and nearly 95 million individuals whose personal data lies in Clop's servers.

Some of that data was published on Clop's extortion portal on the dark web, others were sold to cybercrime groups, and some remain to be monetized in the future.