Photo of Michael G. Gruden, CIPP/GPhoto of Sarah Rippy

A new Cybersecurity & Infrastructure Security Agency (CISA) alert advises that, starting in late May, a well-known ransomware group called Clop compromised a widely used managed file transfer (MFT) platform called MOVEit Transfer, reportedly impacting hundreds of companies globally. 

MFT platforms are used to securely transfer files between parties, and Clop reportedly compromised MOVEit Transfer using a previously unknown (zero-day) vulnerability that allowed attackers to steal files from MOVEit’s underlying database. This vulnerability is now tracked as CVE-2023-34362.

Clop has previously targeted MFT platforms such as Accellion and has shown that it is prepared to follow through on threatened next steps.  In this case, Clop is threatening to identify victim companies on the Clop site as soon as June 14 and then, if a ransom is not paid, publish victims’ stolen data.  In prior attacks, Clop has also reportedly contacted victim companies directly with ransom demands, sometimes weeks or more after the attack.  We do not recommend that victims contact threat actors like Clop directly but instead work with experts to do so safely, if necessary.

Organizations that may be victims of this attack should consider the following steps:

  1. Organizations that used the MOVEit Transfer platform with its web interface exposed to the internet should consider initiating a privileged investigation to determine if they were impacted by this attack.
  2. Organizations with vulnerable MOVEit Transfer systems should consider reviewing available guidance and patching information from Progress Software, the maker of MOVEit Transfer, and be vigilant for additional attempts at exploitation and data theft, as well as other attacks targeting these systems (e.g., the deployment of ransomware encryptors). Progress Software, the maker of MOVEit, has provided information about the vulnerability, patching and recommended mitigation here:  https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability
  3. If your organization was impacted, assess the attacker’s level of access and what data was compromised.
  4. Based on the data compromised, determine your organization’s notification requirements under applicable laws, regulations, and contracts.
  5. Organizations should also consider reviewing their supply chains and other counterparties to determine if their data may have been exposed through third parties’ use of the MOVEit Transfer platform.

Crowell & Moring attorneys are monitoring developments and stand ready to support affected businesses.

Tags: CISA, Cybersecurity, data breach
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Michael’s legal practice covers a wide range of counseling and litigation engagements at the intersection of government contracts and cybersecurity. His government contracts endeavors include supply chain security counseling, contract disputes with federal entities, suspension and debarment proceedings, mandatory disclosures to the government, prime-subcontractor disputes, and False Claims Act investigations. His privacy and cybersecurity practice includes cybersecurity compliance reviews, risk assessments, data breaches, incident response, and regulatory investigations.

Read more about Michael G. Gruden, CIPP/G
Show more Show less
Photo of Sarah Rippy Sarah Rippy

Sarah Rippy is an attorney in Crowell & Moring’s Denver office and a member of the Privacy & Cybersecurity Group.

During law school, Sarah was executive editor of the Colorado Technology Law Journal and an active member of the Silicon Flatirons Center. She…

Sarah Rippy is an attorney in Crowell & Moring’s Denver office and a member of the Privacy & Cybersecurity Group.

During law school, Sarah was executive editor of the Colorado Technology Law Journal and an active member of the Silicon Flatirons Center. She joins the firm after a year serving as a Westin Research Fellow at the International Association of Privacy Professionals, where she focused on state law developments, including the California Privacy Rights Act (CPRA), the Colorado Privacy Act (CPA), and the Virginia Consumer Data Protection Act (VCDPA).

Read more about Sarah RippySarah's Linkedin Profile
Show more Show less
Related Posts
FedRAMP Proposes Updates to Authorization Process—Six New RFCs Released for Public Comment
January 22, 2026
An ITAR-ly Critical Reminder of Cybersecurity Requirements: DOJ Settles with Swiss Automation, Inc.
December 29, 2025
From Yellow Jackets to Red Flags: DOJ Stings Georgia Tech for Alleged Cybersecurity Noncompliance
October 15, 2025