From December 15, publicly traded companies in the US will be required by the Securities and Exchange Commission (SEC) to disclose cybersecurity breaches within four working days of the incident.
The ALPHV/BlackCat ransom group has taken it upon themselves to enforce this law early, by submitting a complaint to the SEC that their breach of software company MeridianLink had not been publicly disclosed.
In the group’s report to the SEC, they stated that MeridianLink had suffered a “significant breach” that it did not disclose as required by the new rules.
Snitches get… an automated response that their complaint was received
ALPHV/BlackCat listed MeridianLink as a victim of data theft yesterday, claiming that the alleged breach occurred on November 7. They claim to have stolen company data without encrypting MeridianLink’s systems.
The group released images of both their complaint to the SEC, and the automated response they received from the regulatory body in acknowledgement of their complaint.
In response to the attack, MeridianLink released a statement saying, “Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption.”
While it is traditional for ransomware groups to add an extra layer of extortion by threatening to let their victims’ customers know their data was stolen, this is the first incident of its kind where an attacker has complained to an authoritative body about their own attack.
Dr. Illia Kolochenko, Chief Architect at ImmniWeb and Adjunct Professor of Cybersecurity & Cyber Law at Capitol Technology University commented that, “Misuse of the new SEC rules to make additional pressure on publicly traded companies was foreseeable.
“Moreover, ransomware actors will likely start filing complaints with other US and EU regulatory agencies when the victims fail to disclose a breach within the timeframe provided by law. Having said that, not all security incidents are data breaches, and not all data breaches are reportable data breaches.
“Therefore, regulatory agencies and authorities should carefully scrutinize such reports and probably even establish a new rule to ignore reports uncorroborated with trustworthy evidence, otherwise, exaggerated or even completely false complaints will flood their systems with noise and paralyze their work.
“Victims of data breaches should urgently consider revising their digital forensics and incident response (DFIR) strategies by inviting corporate jurists and external law firms specialized in cybersecurity to participate in the creation, testing, management and continuous improvement of their DFIR plan.
“Many large organizations still have only technical people managing the entire process, eventually triggering such undesirable events as criminal prosecution of CISOs and a broad spectrum of legal ramifications for the entire organization. Transparent, well-thought-out and timely response to a data breach can save millions.”
More from TechRadar Pro