One year after the Cial-Loud cyber attack carried out by the CLOP group, which led to the compromise of hundreds of companies’ confidential data, the University System of Georgia (USG) has been found to have also fallen victim to the hacking. The USG, which consists of 26 state colleges and universities, recently discovered that sensitive files were stolen from their system during the attack.
It was revealed that the CLOP extortion gang exploited a Zero-Day vulnerability in the Moveit Transfer file transmission system developed by Progress Software during the attack a year ago. Working with the FBI and CISA, USG confirmed that the group had taken sensitive data from their system. The organization has started to notify affected individuals about the breach since April 15 this year.
The stolen information included social security numbers, dates of birth, bank account numbers, as well as federal tax documents containing tax identification numbers. According to an official notification from the state of Maine, around 800,000 individuals were affected by the attack, a number exceeding the total number of students at USG universities. This suggests that the data breach may have impacted former students, academic staff, and other employees as well.
Although the disclosure did not mention the leak of driver’s licenses or identification cards, it is possible that such sensitive information was compromised during the attack. USG has offered the victims free 12 months of fraud protection and detection services through Experian as a response to the incident. However, the relevance of these services a year after the breach remains questionable.
The Clop attack on the Moveit Transfer system has been noted as one of the most successful extortion operations in recent years. The fact that organizations are still uncovering and revealing data leaks even a year after the attack underscores the lasting impact of such incidents.