A group of cyber criminals known for undertaking ransomware attacks on businesses has notified a US regulator about an alleged cybersecurity breach it was responsible for, alleging that the victim also failed to comply with data breach reporting requirements.

Cyber risk expert David McIlwaine of Pinsent Masons said the case was an example of the tactics those behind ransomware attacks can deploy to pressure victims into paying a ransom.

According to Ars Technica and ITPro, ransomware group AlphV notified the US Securities and Exchange Commission (SEC) about “a significant breach compromising customer data and operational information” at technology supplier MeridianLink. AlphV claimed that MeridianLink also “failed to file the requisite disclosure” of the breach under new rules established by the SEC earlier this year.

The SEC rules require US public companies to disclose “material cybersecurity incidents” within four business days of determining that a cybersecurity incident is material. However, the rule does not take effect until 18 December 2023.

MeridianLink said it had “identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption”. It added that if it determines that any consumer personal information was involved in the incident, it would “provide notifications, as required by law”.

McIlwaine said: “There is an increasing trend of victim organisations not engaging with cybercriminals who are attempting to extort payment through ransomware. In response to that we have seen ransomware groups adopt more aggressive strategies to gain attention and to secure engagement in the ransom process. This has included cybercriminals making contact with a much wider group of people in victim organisations and, in some examples, their families.”

“This new development of contacting the SEC is concerning, clearly aimed at accelerating and escalating the organisation’s response to the extortion attempt. It also highlights the need to have immediate crisis communications support available as part of the wider incident response team,” he said.

In its latest annual report, published last week, the UK’s National Cyber Security Centre (NCSC) described ransomware (74-page / 9.8MB PDF) as “one of the most acute cyber threats facing the UK”. It said UK organisations “should take action to protect themselves from this pervasive threat”.

The NCSC said 2,005 cyber incidents had been reported to it between September 2022 and August 2023 and that it had issued 24.48 million notifications over the period, “informing organisations that they were experiencing a cyber incident”, under its early warning system.

During the year, the NCSC said it received 297 reports of ransomware activity, of which it helped in managing 28 incidents. Organisations in academia, manufacturing, IT, finance, and engineering reported the most ransomware incidents to the NCSC.

We are working towards submitting your application. Thank you for your patience. An unknown error occurred, please input and try again.