Meridian Ransomware Attack Timeline
According to DataBreaches.net, the ALPHV ransomware operation claimed responsibility for the breach back on November 7.
At the time, the cybercrime gang threatened to leak the supposedly stolen data unless a ransom was paid in 24 hours. Despite the hack taking place over a week ago, no data appears to have been leaked yet.
The threat actor said that they have not yet heard from MeridianLink regarding a payment in exchange for not releasing the alleged stolen data. The supposed lack of response from MedianLink is likely what led to the Black Cat hackers submitting the a complaint to the SEC disclosing details of the breach that impacted “customer data and operational information.”
Criminals Weaponizing the Law
The SEC disclosure highlights that MeridianLink failed to meet the four-day deadline as required in Form 8-K, under Item 1.05. However, according to Reuters, this law doesn’t come into effect until December 15 2023, so the company may have a get out of jail free card.
A screenshot of the complaint was recently published on the ALPHV website in a bid to show legitimacy, as well as the automated response from the SEC. The caption of the screenshot read: “MeridianLink fails to file with the SEC…so we do it for them + 24 hours to pay”.