Imagine you’re a business owner, and you’ve just become the target of a cyberattack by a ransomware operation named ALPHV or BlackCat. Now, these cybercriminals aren’t just holding your data hostage – they’re taking things a step further by filing a complaint with the U.S. Securities and Exchange Commission (SEC) against your company for not disclosing the attack within the required four-day window.
This is precisely what happened to software company MeridianLink, which provides digital solutions for financial organizations. The ransomware gang gave them 24 hours to pay a ransom, or they would leak stolen data.
From hackers to whistleblowers
According to DataBreaches.net, the ALPHV gang claimed to have breached MeridianLink’s network on November 7, stealing data without encrypting systems. They stated that MeridianLink reached out, but they had not received any response to start negotiating a payment in exchange for not leaking the stolen data.
This silence from the company likely pushed the hackers to put more pressure on them by sending a complaint to the SEC, accusing MeridianLink of not disclosing a cybersecurity incident that affected customer data and operational information.
To prove their point, ALPHV published a screenshot of the form they filled out on the SEC’s Tips, Complaints, and Referrals page. They informed the SEC that MeridianLink had suffered a “significant breach” and did not disclose it as required by Form 8-K, under Item 1.05.
Due to the increasing number of security incidents involving U.S. organizations, the SEC has recently adopted new rules that mandate publicly traded companies to report cyberattacks with material impact – meaning they could influence investment decisions. The reporting should be done within four business days after determining that an incident is material. However, these new rules will only take effect on December 15, 2023, according to Reuters.
ALPHV also shared the reply they received from the SEC, confirming that their submission against MeridianLink was received.
MeridianLink admits to being attacked
In a statement, MeridianLink acknowledged the cyberattack and mentioned that they immediately acted to contain the threat and engaged a team of third-party experts to investigate. The company is still working to determine if any consumer personal information was impacted and will notify affected parties if necessary.
“Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption.” – MeridianLink
While many ransomware and extortion gangs have threatened to report breaches and data theft to the SEC, this may be the first public confirmation of such an action. In the past, ransomware actors have tried to pressure victims by contacting their customers about the intrusion or even intimidating victims directly via phone calls.
So, what does this mean for you as a U.S. business owner? It’s a clear sign that cybercriminals are becoming more daring and sophisticated, and it highlights the importance of taking cybersecurity seriously. Don’t wait until it’s too late – reach out to us and learn how ZZ Servers can help protect your business.