Ransomware gang files SEC complaint over undisclosed breach

The ALPHV/BlackCat ransomware operation has filed a U.S. Securities and Exchange Commission complaint against one of their alleged victims for not complying with the four-day rule to disclose a cyberattack.

The hacker group listed the software company MeridianLink on their data leak with a threat that they would leak allegedly stolen data unless a ransom is paid in 24 hours.

MeridianLink is a publicly traded company that provides digital solutions for financial organizations such as banks, credit unions, and mortgage lenders.

The ALPHV ransomware gang breached MeridianLink’s network on November 7 and stole company data without encrypting systems.

As MeridianLink did not respond, this prompted the hackers to exert more pressure by sending a complaint to the U.S. Securities and Exchange Commission (SEC) about MeridianLink not disclosing a cybersecurity incident that impacted “customer data and operational information.”

To show that their complaint is real, ALPHV also published on their site a screenshot of the form they filled out on SEC’s Tips, Complaints, and Referrals page.

The SEC has adopted new rules that require publicly traded companies to report cyberattacks that have a material impact, i.e. influence investment decisions.

According to the new rule, cybersecurity incident reporting is “due four business days after a registrant determines that a cybersecurity incident is material.”

However, the SEC’s new cybersecurity rules are set to take effect on December 15, 2023.

ALPHV also provided on their site the reply they received from the SEC to the complaint against MeridianLink, to show that the submission was received.

MeridianLink said that after identifying the incident it acted immediately to contain the threat and engaged a team of third-party experts to investigate.

The company added that if any consumer personal information was impacted by the cyberattack, it will notify affected parties if so.

While many ransomware and extortion gangs have threatened to report breaches and data theft to the SEC, this may be the first public confirmation that they have done so.

The post Ransomware gang files SEC complaint over undisclosed breach first appeared on Cybersafe News.

CyberNews RansomWare