Cl0p Exploited MOVEit Zero-Days to Steal Data From Thousands of Organizations
The Cl0p extortion group exploited multiple critical SQL injection flaws in Progress Software's MOVEit Transfer platform, beginning with the zero-day later tracked as CVE-2023-34362, to breach organizations worldwide and steal large volumes of data. Researchers and government agencies linked the campaign to Cl0p, also tracked as Lace Tempest, FIN11, and TA505, and reported that attackers often deployed the LemurLoot web shell and exfiltrated files within minutes; in some cases, the malware could also pull Azure Blob storage details and credentials from MOVEit settings. Progress disclosed and patched additional MOVEit vulnerabilities, including CVE-2023-35036 and CVE-2023-35708, as incident responders warned that victim counts would continue to rise through delayed breach notifications and downstream third-party exposure.
The fallout spread across government, finance, healthcare, education, insurance, professional services, and major global brands, with disclosures naming entities such as EY, PwC, Sony and Pan-American Life Insurance Group among the affected organizations or reported victims. By later tallies, the campaign had compromised thousands of organizations and tens of millions of individuals, while Cl0p shifted from encryption to data-theft and extortion, publishing stolen information from nonpaying victims on leak sites. The incident triggered broad regulatory scrutiny, lawsuits, response costs, and supply-chain consequences as organizations discovered that exposure often came through vendors and file-transfer partners rather than direct compromise.
How this story unfolded
61 events from the most recent confirmed update back to the earliest known activity.
Known MOVEit toll reaches 2,773 organizations and 95.8 million people
As of 2024-06-28, Emsisoft's tracking put the MOVEit campaign at 2,773 organizations and 95,788,491 affected individuals. U.S.-based entities made up most known victims, with education, healthcare, and finance/professional services among the hardest-hit sectors.
Pan-American Life Insurance Group reports MOVEit-linked breach
Pan-American Life Insurance Group disclosed a data breach affecting about 105,000 individuals that was tied to the MOVEit incident. The disclosure illustrated the long tail of victim notifications months after the initial exploitation.
Aetna Life Insurance discloses MOVEit breach affecting 300,000+ people
Aetna Life Insurance Company disclosed that a MOVEit Transfer-related breach impacted more than 300,000 individuals. The notice added another major insurance-sector victim to the long tail of breach disclosures tied to Cl0p's mass exploitation campaign.
Blue Shield of California discloses MOVEit breach affecting hundreds of thousands
Blue Shield of California disclosed that a MOVEit-related breach affected hundreds of thousands of members. The notice added another major healthcare insurer to the continuing stream of downstream victim disclosures tied to the Cl0p MOVEit exploitation campaign.
Medical College of Wisconsin discloses MOVEit-linked breach
The Medical College of Wisconsin said a MOVEit Transfer-related breach affected more than 240,000 individuals. The disclosure added another healthcare-sector victim to the long tail of organizations reporting impact from the Cl0p exploitation campaign.
Welltok discloses MOVEit breach affecting about 1.6 million people
Welltok was reported as a victim of the MOVEit Transfer mass exploitation campaign, with the breach affecting roughly 1.6 million individuals. The disclosure added another major healthcare-sector downstream victim to the continuing stream of breach notifications tied to Cl0p's attacks.
MESVision discloses MOVEit breach affecting nearly 350,000 patients
California-based MESVision said a MOVEit Transfer-related breach impacted close to 350,000 patients. The disclosure added another healthcare-sector victim to the continuing stream of downstream breach notifications tied to the Cl0p MOVEit exploitation campaign.
Maine says MOVEit breach affected about 1.3 million residents
Maine state government disclosed that a MOVEit-related data breach impacted roughly 1.3 million residents. The notice added a major U.S. state-government victim and one of the larger publicly reported population-level exposures tied to the Cl0p MOVEit campaign.
Westat reports MOVEit-linked data breach
Westat, Inc. disclosed a data breach resulting from exploitation of the MOVEit software vulnerability. The notice added another downstream victim to the long tail of organizations publicly reporting impact from the Cl0p MOVEit campaign.
Sutter Health says MOVEit breach affected over 845,000 patients
SC Media reported that Sutter Health disclosed a MOVEit-linked data breach affecting more than 845,000 patients. The notice added another major healthcare-sector victim to the long tail of downstream breach disclosures tied to Cl0p's mass exploitation campaign.
Sun Life Financial says MOVEit breach affected 212,000+ U.S. customers
Sun Life Financial disclosed that a MOVEit-related data breach impacted more than 212,000 U.S. customers. The notice added another insurance-sector victim to the continuing stream of downstream breach disclosures tied to the Cl0p MOVEit exploitation campaign.
NASCO discloses MOVEit-linked breach affecting about 800,000 people
Healthcare technology company NASCO was reported as a victim of the MOVEit Transfer mass exploitation campaign, with data exposure affecting roughly 800,000 individuals. The disclosure added another major downstream victim to the long-running stream of breach notifications tied to Cl0p's attacks.
CCleaner confirms MOVEit-linked data breach
CCleaner confirmed that it was affected by the MOVEit mass exploitation campaign, adding another named software company to the list of publicly disclosed victims tied to Cl0p's attacks. The disclosure extended the campaign's known impact into the consumer software sector.
MOVEit campaign impact surpasses 2,550 organizations and 66 million people
By October 2023, reporting cited more than 2,550 affected organizations and roughly 66 million impacted individuals. The incident had also triggered major financial, legal, and regulatory consequences for Progress, including lawsuits and an SEC inquiry.
Texas-based credit union says MOVEit breach affected 102,000 customers
A Texas-based credit union disclosed that a MOVEit Transfer-related data breach impacted about 102,000 customers. The notice added another financial-sector victim to the long tail of downstream breach disclosures tied to Cl0p's mass exploitation campaign.
Additional MOVEit victim data is leaked by Cl0p
Later in August, Cl0p released more data from MOVEit victims, continuing the extortion campaign and increasing the exposure of stolen records. The leaks underscored that many affected organizations had not reached agreements with the attackers.
Standard Insurance says NTT DATA MOVEit breach exposed 300,000+ customers
Reporting on 2023-08-25 said data belonging to more than 300,000 Standard Insurance customers was exposed through NTT DATA's MOVEit-related breach. The disclosure added another downstream victim relationship to the expanding impact of the Cl0p MOVEit exploitation campaign.
Cl0p begins leaking MOVEit victim data publicly
In August 2023, Cl0p started publishing data stolen in the MOVEit campaign, escalating pressure on victims through extortion. Public leaks marked a shift from claims of compromise to visible release of exfiltrated information.
Serco discloses MOVEit-linked data breach
U.S. government contractor Serco publicly disclosed a data breach resulting from the MOVEit mass exploitation campaign. The disclosure added another notable downstream victim connected to sensitive government-related services.
CMS says MOVEit breach exposed data of 612,000 Medicare beneficiaries
On 2023-07-31, the Centers for Medicare & Medicaid Services disclosed that a MOVEit-linked breach exposed personal data belonging to about 612,000 Medicare beneficiaries. The notice added a major U.S. government healthcare impact disclosure to the expanding list of downstream victims tied to the Cl0p campaign.
Medicaid administrator breach exposes data of more than 8 million people
A Medicaid administrator disclosed a MOVEit-linked breach affecting more than 8 million people. The report marked a major escalation in downstream impact, adding one of the largest publicly reported exposure totals tied to the Cl0p MOVEit campaign at that time.
Maximus and Deloitte linked to MOVEit breach affecting millions
Reporting on 2023-07-27 said government services contractor Maximus and consultant Deloitte were among organizations affected by the MOVEit exploitation campaign. The disclosure highlighted exposure of healthcare-related files affecting millions of people, adding major named victims to the incident's growing toll.
DHL investigates possible MOVEit breach exposure
On 2023-07-21, reporting said DHL was investigating whether it had been affected by the MOVEit Transfer exploitation campaign. The report added a major global logistics brand to the list of organizations publicly responding to possible compromise tied to Cl0p's attacks.
Ofcom discloses MOVEit breach and says it will not pay ransom
On 2023-07-20, UK telecom regulator Ofcom said it was affected by the MOVEit Transfer mass exploitation campaign and stated it would not pay a ransom demand. The report also identified Ireland's telecom regulator ComReg as another newly disclosed victim, adding European regulators to the growing list of impacted organizations.
Estée Lauder and Mary Kay reported as MOVEit victims
A 2023-07-19 report said cosmetics companies Estée Lauder and Mary Kay were on the growing list of organizations affected by the Cl0p MOVEit Transfer exploitation campaign. The disclosure added newly named consumer-brand victims to the expanding roster of impacted companies.
TJ Maxx and TomTom confirm MOVEit-related data incidents
Reporting on 2023-07-17 said TJ Maxx and TomTom were among the latest organizations to confirm data incidents tied to the Cl0p MOVEit Transfer exploitation campaign. The disclosures added major retail and navigation-technology brands to the growing list of publicly identified victims.
Vitesco Technologies reported as a MOVEit victim
TechMonitor reported that Vitesco Technologies was among the organizations identified as victims of the Cl0p MOVEit Transfer exploitation campaign. The report added another named enterprise victim to the expanding list of affected companies.
Colorado State University discloses MOVEit-related data breach
Colorado State University said a data breach tied to the MOVEit Transfer exploitation campaign affected students and staff. The disclosure added another higher-education victim to the growing list of organizations impacted by Cl0p's mass exploitation.
Shutterfly says MOVEit incident did not affect customer data
Shutterfly said it was affected by the Cl0p-linked MOVEit campaign but stated that its investigation found no impact to customer data. The statement added a new named victim response and clarified the scope of exposure at the company.
MOVEit victim count reaches hundreds of organizations
By mid-July, incident tracking showed the mass exploitation had spread to hundreds of organizations and many downstream third parties. Government, healthcare, education, finance, pensions, and manufacturing were among the affected sectors.
PBI discloses MOVEit breach affecting more than 370,000 people
On 2023-07-12, reporting said healthcare organization PBI suffered a MOVEit-linked data breach exposing details of more than 370,000 people. The disclosure added another healthcare-sector victim to the growing list of organizations impacted by Cl0p's mass exploitation campaign.
Another health system discloses MOVEit-linked data breach
Becker's Hospital Review reported that another health system had become a disclosed victim of the MOVEit Transfer mass exploitation campaign. The report added a new healthcare-sector victim to the growing list of organizations publicly acknowledging impact from Cl0p's attacks.
Choice Hotels says Radisson guest data was exposed in MOVEit breach
On 2023-07-10, reporting said Choice Hotels disclosed that guest information from Radisson Hotels Americas was exposed through the MOVEit Transfer attacks. The report added a major hospitality-sector victim relationship to the growing list of downstream organizations affected by the Cl0p exploitation campaign.
Deutsche Bank and Postbank reported impacted by MOVEit breach
A 2023-07-10 report said Deutsche Bank and its Postbank unit were affected by the Cl0p MOVEit Transfer exploitation campaign, exposing customer data. The disclosure added a major European banking-sector victim to the growing list of publicly identified organizations tied to the mass exploitation.
CISA warns on three new MOVEit vulnerabilities
On 2023-07-07, CISA warned about three newly disclosed MOVEit Transfer vulnerabilities as additional organizations continued reporting breaches tied to the broader exploitation wave. The alert marked a further technical escalation beyond the earlier June patches, indicating more flaws had been identified in the product.
Ciena says limited data was impacted in MOVEit attack
Ciena disclosed that it was affected by the MOVEit Transfer attack and said the incident had a limited impact on data. The statement added another named enterprise victim to the growing list of organizations publicly acknowledging exposure tied to the Cl0p campaign.
TIAA linked to MOVEit breach affecting teachers' retirement data
On 2023-06-30, reporting said schools disclosed that TIAA, a major U.S. retirement fund serving teachers and academic institutions, was targeted in the MOVEit hacking campaign. The report added another major financial and education-linked victim relationship to the growing list of organizations affected by Cl0p's mass exploitation.
Honeywell reported as a MOVEit breach victim
Reporting on 2023-06-29 said Honeywell had been compromised in the MOVEit Transfer hacking campaign. The disclosure added a major industrial and technology company to the growing list of organizations publicly identified as affected by Cl0p's mass exploitation.
HHS says MOVEit breach may have exposed data of 100,000 people
On 2023-06-29, CNN reported that the U.S. Department of Health and Human Services was affected by the MOVEit cyberattack and said at least 100,000 people could have had their data exposed. The disclosure added a major U.S. federal health-sector victim to the growing list of organizations impacted by Cl0p's mass exploitation campaign.
UCLA and Siemens Energy confirm MOVEit-related breaches
Reporting on 2023-06-27 said UCLA and Siemens Energy had confirmed breaches tied to the MOVEit Transfer exploitation campaign. The disclosures added a major U.S. university and a global energy technology company to the growing list of publicly identified victims.
Cl0p claims GUS Canada as a MOVEit victim
On 2023-06-23, reporting said Cl0p had added GUS Canada to its list of organizations allegedly compromised in the MOVEit Transfer exploitation campaign. The claim expanded the roster of publicly named victims beyond those already reported such as PwC and Sony.
CalPERS linked to MOVEit breach
On 2023-06-22, reporting said the California Public Employees' Retirement System (CalPERS) was affected by the MOVEit Transfer exploitation campaign. The disclosure added a major U.S. public pension fund to the growing list of organizations impacted by the Cl0p-linked mass exploitation.
Major brands are reported as possible MOVEit victims
By 2023-06-22, reporting linked additional prominent organizations such as EY, PwC, and Sony to the expanding MOVEit victim list. This reflected the campaign's growing impact across major enterprises and service providers.
Telos confirms MOVEit-linked data breach
Telos confirmed that it suffered a data breach related to exploitation of the MOVEit Transfer vulnerability. The disclosure added another named enterprise and government-services contractor to the growing list of organizations affected by the Cl0p-linked mass exploitation campaign.
Cl0p says it does not have BBC, BA, and Boots data
On 2023-06-20, Cl0p reportedly claimed it did not possess stolen data from the BBC, British Airways, or Boots, despite those organizations being linked to the MOVEit fallout through payroll provider Zellis. The statement added a notable attacker response about the scope of data theft affecting several high-profile UK organizations.
Transport for London says MOVEit breach exposed data of about 13,000 drivers
Transport for London disclosed that the MOVEit hack compromised data belonging to about 13,000 drivers. The announcement added a major UK transport-sector organization to the growing list of publicly identified victims tied to the Cl0p MOVEit exploitation campaign.
DOE and several federal agencies reported hit by MOVEit breach
Federal News Network reported that the U.S. Department of Energy was among several federal agencies affected by the MOVEit Transfer exploitation campaign. The report added a specific set of federal-government victims to the growing list of organizations impacted by Cl0p's mass exploitation.
Progress patches third MOVEit vulnerability
On 2023-06-15, Progress patched another MOVEit Transfer flaw, CVE-2023-35708. The additional remediation showed that the incident involved multiple serious vulnerabilities, not just the original zero-day.
Illinois reported impacted by MOVEit ransomware campaign
A 2023-06-12 report said Illinois was affected by the wide-ranging MOVEit/Cl0p attack, adding another U.S. state government victim to the growing list of publicly identified organizations. The disclosure further showed the campaign's expanding impact on public-sector entities.
Progress patches second MOVEit vulnerability
Progress released fixes for a second MOVEit Transfer vulnerability, CVE-2023-35036, as investigators uncovered additional security issues during response efforts. The patch was part of an ongoing effort to contain the exploitation campaign.
Minnesota Department of Education discloses MOVEit-linked student data breach
CBS reported that the Minnesota Department of Education was hit in the global MOVEit cyberattack, exposing data on about 95,000 students. The disclosure added a new public-sector victim to the growing list of organizations affected by the mass exploitation campaign.
Nova Scotia Health says MOVEit breach affected 100,000 people
Nova Scotia Health disclosed that the MOVEit-related breach affected about 100,000 individuals. The notice adds a quantified healthcare-sector impact disclosure tied to the long tail of downstream victim notifications from the Cl0p MOVEit campaign.
Wave of MOVEit breach disclosures begins
By 2023-06-08, organizations were publicly disclosing data breaches tied to the MOVEit flaw as the victim count began to rise. Reporting indicated the incident was expanding beyond direct users to downstream organizations whose data was handled by affected third parties.
Cl0p claims Zellis-linked breaches and sets June 14 extortion deadline
On 2023-06-07, the Russian-speaking Cl0p gang claimed responsibility for breaches affecting BBC and British Airways employee data via payroll provider Zellis. The group said it had data from hundreds of companies and warned victims to negotiate by June 14 before stolen information would be published.
University of Rochester and Nova Scotia identified as early MOVEit victims
Reporting on 2023-06-06 identified the University of Rochester and the government of Nova Scotia as among the first known North American organizations affected by the MOVEit Transfer exploitation campaign. The disclosure added specific early victims to the emerging list of organizations impacted by Cl0p's mass exploitation.
Researchers warn of widespread global MOVEit exploitation
By early June, Rapid7 and other researchers described the MOVEit activity as a widespread threat affecting high-value targets across sectors, sizes, and geographies. Independent tracking already showed a double-digit number of organizations with stolen data, including U.S. government and banking entities.
BBC, British Airways, and Boots linked to MOVEit fallout
On 2023-06-05, BBC reporting identified the BBC, British Airways, and Boots as among the organizations affected by the MOVEit cyberattack through payroll provider Zellis. The report added several high-profile UK brands to the early list of victims tied to the expanding exploitation campaign.
Progress discloses exploited MOVEit zero-day and issues first patch
On 2023-05-31, Progress Software disclosed an actively exploited SQL injection vulnerability in MOVEit Transfer, later tracked as CVE-2023-34362 with a CVSS score of 9.8. The company released fixes and urged customers to take immediate mitigation steps.
Customer reports unusual MOVEit activity over Memorial Day weekend
A MOVEit customer observed suspicious activity during the U.S. Memorial Day weekend, helping surface the broader compromise. This activity preceded public disclosure and indicated active exploitation in the wild.
Cl0p begins exploiting MOVEit Transfer zero-day
Mandiant reported that the Cl0p extortion operation began exploiting a SQL injection zero-day in MOVEit Transfer on 2023-05-27. Attackers used the LemurLoot webshell and in some cases stole data within minutes, including potentially Azure Blob storage credentials from compromised systems.
MOVEit breach toll surges further in later reporting
By May 2026, reporting indicated the data breach toll tied to Cl0p's MOVEit attacks had continued to rise beyond earlier counts. This reflected the prolonged disclosure cycle and ongoing identification of affected organizations and individuals.
Sources
50 references tracked. Mallory keeps watching after this page renders.
Insights from CLOP’s MOVEit Extortion Attack | Intel 471
intel471.com
Open sourcePan-American Life Insurance Group Reports 105,000-Record Data Breach
hipaajournal.com
Open sourceteiss - News - Aetna Life Insurance Company says MOVEit Transfer breach impacted over 300k individuals
teiss.co.uk
Open sourceHundreds of Thousands of Blue Shield of California Members Affected by MOVEit Hack
hipaajournal.com
Open sourceSchools say US teachers' retirement fund was targeted by MOVEit hackers | TechCrunch
techcrunch.com
Open sourceHoneywell Servers Compromised by MOVEit Hackers
gbhackers.com
Open sourceAt least 100,000 could have had data exposed after US health department was hit by global cyberattack | CNN Politics
cnn.com
Open source8 Tech And IT Companies Targeted In The MOVEit Attacks | CRN
crn.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
MOVEit Transfer Breach Expands as Clop Exploits Mass File-Transfer Vulnerability
The list of organizations affected by the **MOVEit Transfer** breach continued to grow as reporting tied additional victims to the mass exploitation campaign against the managed file-transfer platform. The incident was widely linked to the **Clop** ransomware and extortion operation, which exploited a zero-day flaw in MOVEit to steal data from enterprises and institutions that used the software to exchange sensitive files. The expanding victim count underscored the broad downstream impact of third-party file-transfer compromises, with exposed data reportedly affecting banks, businesses, government entities, and other organizations connected to breached MOVEit deployments. The campaign highlighted how a single vulnerability in a widely used transfer product can rapidly become a large-scale supply-chain-style data theft event, forcing incident response, disclosure, and regulatory scrutiny across multiple sectors.
May 25, 2026
Cl0p Expands Extortion Campaigns Across File-Transfer and File-Server Targets
Cl0p has continued to target organizations through large-scale extortion campaigns tied to vulnerable file-transfer and file-server products, with reporting linking the group to an alleged breach of a New Zealand poultry producer and to activity against CentreStack file servers. Threat intelligence reporting says the group, active since at least 2019, typically steals data before encrypting systems and then pressures victims through leak-site postings and direct negotiation channels. Recent activity has been closely associated with exploitation of Cleo LexiCom, VLTrader, and Harmony via `CVE-2024-50623`, a flaw that can allow remote file upload and download and may lead to remote code execution. Researchers reported active exploitation in the wild, warned that Cleo's `5.8.0.21` patch could be bypassed, and noted that Cl0p publicly claimed dozens of victims from the Cleo campaign while historically using similar mass-exploitation tactics against Accellion FTA and MOVEit to drive data-theft and extortion operations.
May 25, 2026
Critical MOVEit Transfer Flaw Exploited as New Attacks Renew Focus on Mass Breaches
Progress Software released a security bulletin for a critical MOVEit Transfer vulnerability, **CVE-2024-5806**, warning that a threat actor could exploit the flaw to take control of affected systems. CISA urged organizations to review Progress Software’s June 2024 alert and apply updates, while reporting indicated the bug was being attacked within hours of public disclosure, raising the risk of rapid compromise for internet-exposed file-transfer servers. The new exploitation wave revived scrutiny of the earlier MOVEit crisis, when the Clop ransomware-linked extortion campaign compromised organizations across the private and public sectors. Reported victims and affected entities included technology and IT firms, state and federal agencies, schools tied to the Teachers Insurance and Annuity Association of America retirement fund, Norton LifeLock owner Gen Digital, Vancouver Transit Police, Missouri agencies, and Extreme Networks, underscoring how vulnerabilities in widely deployed managed file-transfer software can cascade into broad supply-chain and data-theft incidents.
May 25, 2026