Amazon has confirmed that it was impacted by the MOVEit third party breach that took place in 2023, and that a large amount of employee data was included with a massive trove that was offered for sale on a hacking forum.
Amazon is not alone among major companies that had employee data stolen and sold by this attacker; that list also includes 3M, Lenovo, HP, British Telecom, and more. But of the roughly five million records the hacker offered for sale, Amazon had over half the total at about 2.86 million.
Amazon employee data consisted of work contact information
While most of the fallout from the MOVEit third party breach took place in the latter half of 2023, the new trove of employee data appeared for sale fairly recently. There is also not yet any clear connection to the Cl0p ransomware gang, which was responsible for that breach. The new information is being offered by a hacker called “Nam3L3ss” and does not appear to have been made public before now.
Amazon has confirmed that the employee data is legitimate, but there is still some confusion about how sensitive it is. Amazon has made a public statement claiming that it is limited to work email addresses, desk phone numbers, and building locations. The hacker claims that it also includes cost center codes and “entire organizational structures” in some cases. Amazon says that AWS and its other systems remain secure, and that the data was taken from a third party breach on a property management vendor.
Nam3L3ss has also claimed to be sitting on a total of 250 terabytes of archived database files stolen from tens of other organizations, and that there are some 1,000 third party breaches that have not yet been disclosed to the public. The hacker has promised to sell or publish more of this stolen employee data in the coming days.
Amazon is assuring customers and AWS clients that their personal and private data remains secure, and they are not presently being advised to change passwords or take any other additional security steps. The wording of its public statements indicates that the third party breach at a property management firm of some kind involved other companies, and it is not clear if the Nam3L3ss hoard comes entirely from breaching that unnamed contractor.
The hacker has not contradicted Amazon’s statements that sensitive employee personal information was not included in the breach, but the scope of the attack in terms of number of people impacted is still very unclear. The only number thus far comes from the hacker, who has said that about 2.8 million lines of employee data are in the tranche. Amazon has a total workforce of about 1.5 million, the majority of these working various roles in its picking and packing warehouses and shipping operations.
Hacker promises many more third party breaches to come
The theft of employee data appears to trace back to vulnerability CVE-2023-34362, the critical issue in MOVEit’s file transfer software that allows hackers to access files on unpatched systems without authorization. As of early 2024 the victim count of organizations was at over 2,600 and almost 90 million total records had been stolen. Those numbers both continue to tick up as hackers appear to be switching focus to third party breaches along the supply chain of major companies, at smaller outfits where patching may be more lax.
The ransomware gang Clop kicked off exploitation of this vulnerability in late May of last year and was responsible for nearly all of the activity through the rest of 2023, but now it appears other groups may be either hunting smaller fish or hitting upon access to previously leaked Clop data. In July 2023 Clop started leaking victim information to the “clear web” when parties refused to enter negotiations with them. The group apparently did this to facilitate speed of downloads and ease of access, but many of them were also taken down very quickly. All of the data leak sites that they were known to have put up have long since been taken offline.
Clop was extremely patient in exploiting this zero-day they had hit upon, waiting until the start of Memorial Day weekend (a three-day holiday in the US) to target predominately American companies. The group also did not stick to its usual approach of deploying ransomware, instead hoarding a huge amount of data quietly and then gradually extorting companies with it. It is thus not surprising to see victims continuing to trickle in well over a year after the main action of the incident took place.
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, points out that this is yet another reminder that a company’s security is only as good as its next third party breach: “The lessons are many. But one of the main lessons is that any place where your data resides is a place that data can be compromised. Every vendor relationship that either has access to your network and data or who you send data to, for whatever reason, is a new place for a potential compromise. Try to limit where your data is, both inside of your organization and outside. And if sending your data to some other organization, make sure that they follow the same strict cybersecurity controls that you require in your own organization. In this case, however, the data compromise appears related to a zero day vulnerability and the involved needed patch was not available until a few days after the exploit began. In these types of cases really the only realistic defense is to make sure your data is only where it’s needed only when it’s needed. And when the processing is done by the third party provider, make sure the data is deleted. Hackers can’t compromise what doesn’t exist.”
Nick Mistry, SVP, CISO, Lineaje, adds some advice on dealing with the reality of vendors that must have some level of trusted access: “As organizations increasingly rely on third-party vendors for various services, it becomes crucial to ensure these partners meet the same stringent security standards that your own organization upholds. Recent Lineaje research reveals that an average of 250 components with unknown origins lurk within every application, creating significant points of exposure for the software supply chain. This latest incident serves as a reminder that effective third-party risk management should not be a nice-to-have, but a must have. Having a robust incident response plan that zeroes in on third-party threats is essential, so organizations can promptly identify and reduce any risks resulting from vendor partnerships. More specifically, businesses must put in place thorough procedures to proactively detect and address risks, such as frequent security audits, assessments, and ongoing third-party software monitoring. In today’s threat landscape, the security of your ecosystem extends far beyond the reach of your own systems and infrastructure. Now is the time to reassess your third-party security practices, before the next vulnerability becomes a costly breach and reputational nightmare. As an industry, we need to prioritize ensuring a high level of software integrity throughout the entire software supply chain, end-to-end.”
Joe Silva, CEO of Spektion, adds: “This update to an older vulnerability exploit reinforces how third-party software remains one of the largest and least manageable cybersecurity risks organizations face, including large and technically sophisticated enterprises. By the time any company reacts to third-party software risks and vulnerabilities, they’re already being actively exploited while just being publicly disclosed. It’s time for a new approach in how we address our software supply chain. Rather than lagging behind and simply reacting to CVEs, CISOs and their teams need to focus on a proactive approach to their third-party software by shifting left and leveraging data that enables quick, accurate, and actionable risk assessments of software before they’re exploited.”