Ransomware Group Files SEC Complaint Over Victim’s Failure to Disclose Data Breach

Ransomware Group Files SEC Complaint Over Victim’s Failure to Disclose Data Breach

November 16, 2023 at 07:33AM

The ransomware group Alphv and BlackCat has allegedly breached the systems of MeridianLink, a California-based company, and claims to have stolen customer data and operational information. They have filed a complaint with the US Securities and Exchange Commission (SEC) accusing MeridianLink of failing to disclose the breach within the required timeframe. This is the first time a ransomware group has filed an SEC complaint against a victim. MeridianLink denies unauthorized access and is conducting an investigation. The new SEC data breach disclosure rules will be effective from mid-December 2023.

During the meeting, it was discussed that a ransomware group called Alphv and BlackCat has filed a complaint with the US Securities and Exchange Commission (SEC) against MeridianLink, a California-based company. The ransomware group claims to have breached MeridianLink’s systems and stolen customer data and operational information. They are threatening to leak this data unless a ransom is paid. The group alleges that MeridianLink failed to disclose the breach within four business days, as required by SEC rules announced in July. In an effort to increase their chances of getting paid, the hackers have published screenshots on their leak website to show that the complaint has been filed with the SEC. This is reportedly the first time a ransomware group has filed an SEC complaint against one of its victims. MeridianLink, on the other hand, claims that the intrusion was discovered on November 10, while the hackers say it was conducted on November 7. MeridianLink has taken immediate action to contain the threat and has engaged third-party experts to investigate the incident. The company states that there is no evidence of unauthorized access to their production platforms and that the incident has caused minimal business interruption. It’s important to note that the new SEC data breach disclosure rules will only come into effect in mid-December 2023, and MeridianLink has not yet determined if the cybersecurity incident is material to investors, as required by the new rules. SecurityWeek has reached out to the SEC for comment. BlackCat is known for being an active ransomware group and they often employ various tactics to convince targets to pay, including setting up dedicated leak websites for victims.

Full Article