In the summer of 2023, the world was shaken by a large-scale cyber incident involving MOVEit, a widely used solution for secure file exchange. What makes the incident special is not only its scale, but especially the insight it provided into how vulnerable digital supply chains are. For directors and CISOs of medium-sized organizations, this incident is an important lesson.
MOVEit is used by organizations that need to exchange sensitive data with customers, suppliers, and government agencies. It was precisely that confidence in a “proven” solution that made the impact of the incident so great.
What is MOVEit and why is it so widespread?
MOVEit is a so-called Managed File Transfer (MFT) solution. This is software that organizations use to securely send and receive files, often with sensitive or privacy-sensitive information such as personal data and financial data. MOVEit was developed by Progress Software, an American software company that has been active in business software for decades.
Many organizations opt for this type of solution because they meet compliance requirements and security standards. As a result, file transfer is often seen as a “ticked off” risk, something that has been safely outsourced to a supplier.
What went wrong with the MOVEit incident?
Cybercriminals discovered a vulnerability in MOVEit Transfer, the server version of the software. Through this vulnerability, they were able to gain unauthorized access to systems and copy data without leaving any direct traces. This type of vulnerability is also called a zero-day: a security vulnerability that is not yet known to the supplier.
It is important to note that MOVEit users themselves did not do anything wrong. Organizations that had properly set up and updated their systems still turned out to be vulnerable. This underlines how dependent you are on the security of your suppliers.
The scale and impact: thousands of organizations affected
The attacks were attributed to the cybercriminal group Cl0p, which specializes in large-scale data theft and extortion. Thousands of organizations worldwide were affected, including banks, healthcare institutions, educational organizations and governments.
Dutch organizations also appeared to be affected, sometimes indirectly via suppliers or service providers. Think of payroll processors, IT service providers or logistics partners who used MOVEit for data exchange. As a result, personal data of employees and customers ended up on the street, without the affected organizations having direct control over it.
Why this is a typical supply chain incident
The MOVEit incident is not a classic “hacker attacks company” story. It is a prime example of a digital supply chain incident. The attack targeted one software supplier, but had consequences for thousands of organizations in the chain.
For directors, this is an important insight: your digital supply chain consists not only of direct suppliers, but also of the software and services they use. The further that chain extends, the more difficult it becomes to oversee and manage risks.
The administrative reality: responsibility remains with you
Although the vulnerability lay with the supplier, the responsibility remained with the affected organizations themselves. They had to report to regulators, inform those involved and limit reputational damage. This often leads to difficult questions from customers, regulators and the media.
For directors, this is a confronting reality: outsourcing reduces operational burdens, but not the ultimate responsibility. Digital risks do not stop with the contract with a supplier.
What can organizations learn from this?
The MOVEit incident shows that traditional supplier assessments are no longer sufficient. An annual audit or questionnaire does not provide insight into current vulnerabilities. Organizations would do well to continuously monitor critical suppliers and make explicit agreements about vulnerability management and incident response.
In addition, it helps to gain insight into where sensitive data is located and through which systems it is exchanged. Many organizations only realize how complex their digital chain actually is during an incident.
From IT problem to strategic risk
What MOVEit makes particularly clear is that supply chain security is no longer a purely IT topic. It affects business continuity, compliance, reputation and trust. This means it belongs on the agenda of the executive board and board of directors.
By explicitly naming and discussing supply chain risks, organizations can invest more specifically in resilience. Not by doing everything yourself, but by making more conscious choices in suppliers, contracts and supervision.
Conclusion: awareness is the first step
The MOVEit incident was not an exceptional event, but a harbinger of what will happen more often. Digital ecosystems are becoming more complex and attackers are increasingly targeting links that affect many organizations at the same time.
For medium-sized organizations, it is therefore essential to look beyond their own walls. Those who understand how far the digital supply chain extends can better anticipate risks and prevent the next incident from coming as a surprise again.
