Photo of Evan D. WolffPhoto of Matthew B. WellingPhoto of Michael G. Gruden, CIPP/GPhoto of Maarten StassenPhoto of Garylene “Gage” JavierPhoto of Sarah Rippy

A new Cybersecurity & Infrastructure Security Agency (CISA) alert advises that, starting in late May, a well-known ransomware group called Clop compromised a widely used managed file transfer (MFT) platform called MOVEit Transfer, reportedly impacting hundreds of companies globally. 

MFT platforms are used to securely transfer files between parties, and Clop reportedly compromised MOVEit Transfer using a previously unknown (zero-day) vulnerability that allowed attackers to steal files from MOVEit’s underlying database. This vulnerability is now tracked as CVE-2023-34362.

Clop has previously targeted MFT platforms such as Accellion and has shown that it is prepared to follow through on threatened next steps.  In this case, Clop is threatening to identify victim companies on the Clop site as soon as June 14 and then, if a ransom is not paid, publish victims’ stolen data.  In prior attacks, Clop has also reportedly contacted victim companies directly with ransom demands, sometimes weeks or more after the attack.  We do not recommend that victims contact threat actors like Clop directly but instead work with experts to do so safely, if necessary. Continue Reading MOVEit Vulnerability: What to Know and What to Do

Crowell & Moring’s “Fastest 5 Minutes” is a biweekly podcast that provides a brief summary of significant government contracts legal and regulatory developments that no government contracts lawyer or executive should be without. This latest edition is hosted by partner David Robbins and includes updates on the GAO Data Act report and Organization Conflicts of

Photo of Kate M. Growley, CIPP/G, CIPP/US

2013 has been a historic year for cybersecurity, privacy and data breach issues. From the President’s Executive Order, to the revised NIST security & privacy controls, and to the groundbreaking Mandiant report on cyber espionage, the pressure is on for companies to secure their handling of sensitive data.

In order to mitigate the risk of data breach, cyber theft, and the loss of trade secrets and other intellectual property, both the government agencies and private companies need to understand the sector-specific rules and requirements for information security, privacy, and data protection. Only after the rules of the road are fully understood can agencies and contractors implement policies to mitigate the risks posed by cyber threats.
Continue Reading Cybersecurity and Data Privacy in 2013: Contracting in a Time of Increased Scrutiny