Revealing a Meridianlink breach that hasn’t been made public in the timespan it should’ve been, the notorious ALPHV/BlackCat ransomware operation has upped the ante by filing a formal complaint with the U.S. Securities and Exchange Commission (SEC) against MeridianLink.
The accusation centers around MeridianLink’s alleged failure to adhere to the prescribed four-day rule for disclosing a cyberattack, signaling a new chapter in the ongoing battle against ransomware.
The threat that the MeridianLink breach puts the company under
MeridianLink, a publicly traded software company specializing in digital solutions for financial entities, found itself in the crosshairs of the ALPHV/BlackCat ransomware group. The attackers took their extortion tactics to the public domain, listing MeridianLink on their data leak roster and issuing a threat to expose purportedly stolen data unless a ransom was paid within a mere 24 hours.
According to insights from DataBreaches.net, the ransomware gang claimed to have infiltrated MeridianLink’s network on November 7, making off with company data without employing the typical encryption methods. Despite indications that MeridianLink initiated contact, the hackers reported a lack of response concerning negotiations for a ransom.
Filing a grievance with the SEC
In a surprising move, the ALPHV ransomware group decided to escalate their confrontation with MeridianLink by filing a formal complaint with the SEC. The complaint alleged that MeridianLink failed to disclose a significant MeridianLink breach incident, impacting both customer data and operational information. This obligation is outlined in Form 8-K, Item 1.05, mandating timely disclosure of material events.
To bolster their case, ALPHV published a screenshot of the complaint they submitted through the SEC’s official channel, providing a rare glimpse into the tactics employed by ransomware actors when dealing with regulatory bodies. The group also shared the response they received from the SEC, confirming the receipt and acknowledgment of their submission.
MeridianLink’s response and ongoing investigation
In response to these allegations, the company confirmed the occurrence of the MeridianLink breach, asserting that they took immediate action to contain the threat. Engaging a team of third-party experts, MeridianLink is actively investigating the incident to assess the potential impact on consumer personal information. The company pledged to notify affected parties promptly if any compromise is identified.
This incident underscores the evolving tactics employed by ransomware groups, moving beyond traditional extortion methods. The SEC’s new cybersecurity rules, slated to take effect on December 15, 2023, mandate the disclosure of material cyberattacks within four business days. ALPHV’s utilization of regulatory channels may signify a disturbing trend where ransomware actors leverage legal avenues to exert additional pressure on their victims, blurring the lines between cyber warfare and regulatory compliance.
As organizations brace for an increasingly sophisticated threat landscape, this case serves as a stark reminder of the urgent need for robust cybersecurity measures.
Meanwhile, the cybersecurity concerns among both leading and smaller companies are intensifying as the attacks on them are getting more complex and harder to prevent with the advent of the strategies that ransomware groups are employing. If you wish to be more on top of the stories that spark these concerns, make sure to check out our articles on how the Okta data breach leaked information about employees and how a Casio data breach exposed customers in 149 countries.
Featured image credit: Özgürcan Özergin/Bing Image Creator
