Hacker chutzpah: Ransomware group says it reported victim to SEC
Cybercriminal group Alphv said it reported a victim of one of its ransomware attacks to the Securities and Exchange Commission for supposedly violating the regulator’s new rule mandating publicly traded companies report substantial cybersecurity incidents.
The company, financial software firm MeridianLink, confirmed it suffered an attack but had not yet determined the extent of personal information compromised.
“MeridianLink recently identified a cybersecurity incident,” a spokeswoman for the company said Friday. “Safeguarding our customers’ and partners’ information is something we take seriously. Upon discovery, we acted immediately to contain the threat and engaged a team of third-party experts to investigate the incident.”
The spokeswoman added that the company had identified “no evidence of unauthorized access to our production platforms” and that the incident caused minimal business interruption.
“If we determine that any consumer personal information was involved in this incident, we will provide notifications, as required by law,” the spokeswoman said. “We have no further details to offer currently, as our investigation is ongoing.”
MeridianLink counts many credit unions and some community banks as customers. The company reported $288 million in revenue last year.
MeridianLink did not have to report the incident in an 8-K filing, as Alphv claimed, because the SEC’s new rule regarding material data breaches does not take effect until next month. Rather, cybersecurity experts said the report was merely a means of putting additional pressure on MeridianLink, which Alphv is extorting via the threat of releasing the data it stole.
The SEC’s rule gives publicly traded companies four days to report a security incident from the time that the company determines it to be “material.” Alphv said it compromised MeridianLink on Nov. 7. Alphv posted on Wednesday on its victim-shaming website about the SEC complaint it said it filed.
The SEC did not immediately respond to a request for comment. Other reports indicated the commission was not commenting on the matter.
The “misuse” of the SEC’s form for flagging unreported data breaches was entirely foreseeable, according to Ilia Kolochenko, CEO of…
