Slash Boxes

SoylentNews is people

Submission Preview

Link to Story

Ransomware Gang Files SEC Complaint over Victim’s Undisclosed Breach

Accepted submission by fliptop at 2023-11-18 01:20:38 from the pay-up-or-we'll-report-you dept.

The ALPHV/BlackCat ransomware operation has taken extortion to a new level by filing a U.S. Securities and Exchange Commission complaint against one of their alleged victims for not complying with the four-day rule to disclose a cyberattack []:

Earlier today, the threat actor listed the software company MeridianLink on their data leak with a threat that they would leak allegedly stolen data unless a ransom is paid in 24 hours.

MeridianLink is a publicly traded company that provides digital solutions for financial organizations such as banks, credit unions, and mortgage lenders.

According to [], the ALPHV ransomware gang said they breached MeridianLink’s network on November 7 and stole company data without encrypting systems.

The ransomware actor said that “it appears MeridianLink reached out, but we are yet to receive a message on their end” to negotiate a payment in exchange for not leaking the supposedly stolen data.

The alleged lack of response from the company likely prompted the hackers to exert more pressure by sending a complaint to the U.S. Securities and Exchange Commission (SEC) about MeridianLink not disclosing a cybersecurity incident that impacted “customer data and operational information.”

[...] In their own words, the attacker told the SEC that MeridianLink suffered a “significant breach” and did not disclose it as required in Form 8-K, under Item 1.05.

The SEC’s new cybersecurity rules [] are set to take effect on December 15, 2023.

Originally spotted on Schneier on Security [].

Related: Teens With “Digital Bazookas” Are Winning the Ransomware War, Researcher Laments []

Original Submission