← The Five Quadrants of Risk

Risk register · entry

Q3 · Engineered

MOVEit mass-exploit

One file-transfer zero-day breached 2,700+ organisations at once.

Tightly coupled systems where one small fault cascades and takes down the whole machine.

Room
Q3 Engineered
Year
2023
Impact
95M+ people
Sector
Data supply chain
Region
Global
Category
Technological

Why this room

The root cause sits in Q3 Engineered because the payoff mechanism was a simple, well-understood technical failure mode (an unpatched SQL injection in shared infrastructure) that produced a genuinely fat tail: one flaw, exploited once, cascaded through 2,700+ independent organizations simultaneously rather than harming one company at a time, exactly the correlated, low-frequency/high-severity signature of engineered risk; the subsequent extortion campaign then imported Q-Fraud's payoff structure (deliberate deception, payment demanded under threat) on top of that technical base.

The record

  • CVE-2023-34362, SQL injection vulnerability, CVSS 9.8certain
  • Exploitation began around May 27-28, 2023 (per Mandiant/Rapid7 telemetry)certain
  • Progress Software publicly disclosed the vulnerability May 31, 2023certain
  • Web shell used: LEMURLOOTcertain
  • Roughly 2,500 MOVEit Transfer instances exposed to the public internet as of May 31, 2023certain
  • 2,773 organizations affected overalllikely
  • Approximately 95.8 million individuals' data exposedlikely
  • Clop posted its first batch of 12-13 named victims on its leak site June 14, 2023, threatened public data dumps from June 21certain
  • Progress Software: ~$1.5 million direct incident costs in FY2023, $3.7 million insurance recoveries, $8.8 million insurance coverage remainingcertain
  • SEC subpoena issued to Progress Software October 2, 2023certain
  • Progress Software named in ~118 class-action suits as of early 2024, rising past 140 laterlikely
  • Settlements: National Student Clearinghouse $9.95M, Nuance Communications $8.5M, Cadence Bank $5.25M, Arietis Health $2.8Mcertain
  • Emsisoft (June 2024) modeled global economic cost at over $15.8 billion using IBM's ~$165-per-record average breach costuncertain
  • Zellis (payroll processor) was the third-party conduit exposing BBC, British Airways and Aer Lingus datacertain

Sources

  1. CISA
  2. Cybersecurity Dive
  3. BleepingComputer
  4. Rapid7
  5. Cloudskope
  6. Hagens Berman
  7. Palo Alto Networks Unit 42

The book

This entry is one of 111 in the register. The full story, and what it cost the people who lived it, is in Risky Business by Claudia Zeisberger, David Munro and Joanna Reijgersberg-Siew.

Join the waiting list