Hackers Employ New Ransom Tactic – Reporting Victim to SEC for Lack of Disclosure

Photo of a hacker with the text "New Ransomware Tactic: Hackers Report Victims to SEC"

Ransomware attacks against financial services are on the rise – 64 percent of 300 surveyed IT and cybersecurity professionals in this industry said they were affected in the past year, up from 55 percent a year ago.

And now comes a new extortion threat. The bad guys will not only hold sensitive and valuable data hostage, but use cybersecurity reporting requirements for publicly traded companies as leverage.

In November, ransomware operation AlphV claimed it had breached the network of MeridianLink, a company that provides digital-lending software to banks and other financial institutions. MeridianLink is publicly traded on the NYSE, and thus subject to new Security and Exchange Commision rules regarding cybersecurity breaches. Those rules say registrants must determine “without unreasonable delay” if cybersecurity incidents are material and if they are, report those details on an Item 1.05 Form 8-K within four business days of the determination.

Here’s where it gets interesting. While ransomware gangs have previously threatened to report their publicly traded victims to the SEC for not reporting breaches, AlphV actually did in what is considered a first, according to DataBreaches.net, which obtained a copy of AlphV’s report to the SEC made on its website.

AlphV wrote: “We want to bring to your attention a concerning issue regarding MeridianLink’s compliance with the recently adopted cybersecurity incident disclosure rules.

“It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules.”

AlphV also shared a screenshot of an automated response that said its complaint had been successfully received by the SEC.

As for MeridianLink, the new SEC rules do not take effect until Dec. 15, 2023. The company also disputes that the breach was material, which would make it exempt from disclosure under the new rules.

A company statement in response to DataBreaches.net said: “Safeguarding our customers’ and partners’ information is something we take seriously. MeridianLink recently identified a cybersecurity incident that took place on Nov 10. Upon discovery on the same day, we acted immediately to contain the threat and engaged a team of third-party experts to investigate the incident. Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption. We have no further details to offer currently, as our investigation is ongoing.”

Even without the SEC involved, a ransomware attack can still be costly. According to IBM, the average ransomware case cost $4.54 million in 2022, not counting the ransom.

While there’s no magic bullet to prevent ransomware, Digital Silence helps companies who handle sensitive information, like mortgages and bank accounts, in two ways.

Our trademarked Ransomware Assess process identifies the potential attack vectors through which most ransomware is launched, giving you the information to shore up those vulnerable points. And if the worst does happen, our team has more than 30 years of experience handling data breaches and can quickly analyze a ransomware incident and determine an effective response, saving your organization money and limiting potential downtime.

As these types of incidents become more common, smart organizations will have a plan in place before the worst happens. If your company wants to assess your current cybersecurity and develop a plan, let’s talk.

Are you experiencing a
Security Incident?

We are here to help 24/7. In addition to providing immediate assistance, Digital Silence offers a suite of remediation services designed to help organizations get back to business.