Cyber gangs cross a new milestone

Cyber gangs just crossed a milestone – they have started filing complaints with the US Securities and Exchange Commission (SEC) to report uncooperative victims.

BlackCat and ALPHV is believed to be the first cybercriminal organization to report its victim to the independent agency of the United States federal government.

The bad actors are the same group of fraudsters who brought havoc in Las Vegas last month after they managed to breach MGM Resorts.

MeridianLink refuses to pay ransom, hackers retaliate

The Russia-linked criminal organization managed to hack MeridianLink.

MeridianLink is a company that provides a loan origination system and landing platform located in Orange County, CA.

Since the finance company refused to pay the requested ransom, the cybercriminals sought ways to retaliate.

After leaking data, exposing personal details of the CEO and family, they filed an SEC complaint alleging non-disclosure of the breach.

Unclear scope of data breach and impact

The cyber security incident happened on Nov 7th, 2023, and was discovered the same day. The attack did not include the deployment of file-encryption malicious code.

The cyber gang illegally copied lots of MeridianLink data and approached the business, asking for a ransom. The hackers only gave the loan platform provider twenty-four hours to respond to the extorsion request.

However, details about what type of data has been stolen and the number of people whose data has been compromised.

MeridianLink refused to share much information about the incident. The main reason was because the company did not want to interfere with the ongoing investigation.

Although they stated that the breach only caused minimal business disruption.

Delayed reporting of cybersecurity incidents favors hackers

In any case, it is unclear if the SEC file complaint will be taken seriously by the government agency as businesses are not yet required to report such incidents within a four-day time frame.

This rule is supposed to go into effect next month and be fully enforced at the start of 2024. 

SEC’s complaint page may be used by cybercriminals, but it was not intended for this purpose.

The reason why bad actors won’t hesitate to use SEC tool is because often take more than four days to report any material cyber security incidents.