Slash Boxes

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 15 submissions in the queue.

Submission Preview

Link to Story

Ransomware Gang Files SEC Complaint over Victim’s Undisclosed Breach

Accepted submission by fliptop at 2023-11-18 01:20:38 from the pay-up-or-we'll-report-you dept.

The ALPHV/BlackCat ransomware operation has taken extortion to a new level by filing a U.S. Securities and Exchange Commission complaint against one of their alleged victims for not complying with the four-day rule to disclose a cyberattack []:

Earlier today, the threat actor listed the software company MeridianLink on their data leak with a threat that they would leak allegedly stolen data unless a ransom is paid in 24 hours.

MeridianLink is a publicly traded company that provides digital solutions for financial organizations such as banks, credit unions, and mortgage lenders.

According to [], the ALPHV ransomware gang said they breached MeridianLink’s network on November 7 and stole company data without encrypting systems.

The ransomware actor said that “it appears MeridianLink reached out, but we are yet to receive a message on their end” to negotiate a payment in exchange for not leaking the supposedly stolen data.

The alleged lack of response from the company likely prompted the hackers to exert more pressure by sending a complaint to the U.S. Securities and Exchange Commission (SEC) about MeridianLink not disclosing a cybersecurity incident that impacted “customer data and operational information.”

[...] In their own words, the attacker told the SEC that MeridianLink suffered a “significant breach” and did not disclose it as required in Form 8-K, under Item 1.05.

The SEC’s new cybersecurity rules [] are set to take effect on December 15, 2023.

Originally spotted on Schneier on Security [].

Related: Teens With “Digital Bazookas” Are Winning the Ransomware War, Researcher Laments []

Original Submission