MOVEit Data Leak Exposes Employee Data of Amazon, HSBC & More – What You Need to Know

A new wave of data leaks tied to the infamous MOVEit vulnerability has rattled the cybersecurity landscape once again. Different from last year’s Cl0p ransomware-led attacks, this latest MOVEit data leak is attributed to a new threat actor, “Nam3L3ss.” Targeting major organizations, this actor has released vast amounts of sensitive employee data on a Dark Web forum.

Among the affected organizations are notable names like Amazon, HSBC, British Telecom, and McDonald’s. Altogether, the leaked records reveal sensitive employee directories, spanning thousands of entries per company, containing contact information, job titles, and even internal structures.

For affected organizations, the threat is real and significant: this level of exposure provides a potential roadmap for attackers aiming to exploit the stolen data in future targeted phishing campaigns or other social engineering attacks.

In this article, we will outline the key details of the breach, affected organizations and the threat actor’s claims, and examine possible implications.

What Happened? Background of the MOVEit Data Leak

The recent data breach attributed to the threat actor “Nam3L3ss” unfolded on the well-known hacking forum, BreachForums. Through a series of posts, Nam3L3ss exposed extensive employee directories, including personal details, organizational hierarchies, and additional internal files.

The leak posts by the threat actor, including the latest MOVEit related databases

On November 8, 2024, SOCRadar’s Dark Web News module alerted our customers to the threat actor’s leak-related posts. According to the details shared in these posts, the data source is MOVEit, suggesting that the data exposure leverages the same MOVEit Transfer vulnerability exploited in last year’s Cl0p ransomware attacks.

The leak posts, viewed on SOCRadar’s Dark Web News module

In the latest leaks by Nam3l3ss, affected entities reportedly include industry leaders like Amazon, HSBC, MetLife, Cardinal Health, Fidelity, U.S. Bank, HP, Canada Post, Delta Airlines, Leidos, Lenovo, McDonald’s, and others. Following these high-profile leaks, customers of the affected organizations could face an increased risk of social engineering and fraud schemes.

Also notably, while the breach spans many companies, data leaks have been verified for Amazon and HSBC, where HR/accountant records have been exposed, but no customer information appears to have been compromised. It was assessed that these breaches occurred around May 31, 2023.

Leaks Tied to the MOVEit Vulnerability (CVE-2023-34362); Is Nam3l3ss Related to Clop Ransomware?

This latest breach appears tied to the critical MOVEit Transfer vulnerability identified in 2023, designated CVE-2023-34362, which allowed unauthorized access by bypassing security controls in the file transfer software. Exploited by various threat actors in the past (such as Cl0p and LockBit), this flaw has impacted major industries worldwide.

Nam3L3ss lists MOVEit as the data source in their posts, leading researchers to suggest that the vulnerability might be involved in this exposure. However, it’s still uncertain if Nam3L3ss directly exploited MOVEit themselves or leveraged data exposed by earlier attackers.

An Infostealers blog further details that while the notorious Cl0p ransomware group previously used this exploit, many companies in this breach, such as Amazon and McDonald’s, were not previously associated with Cl0p. Additionally, in the threat actor’s “manifesto,” they deny any connection to ransomware groups, claiming instead to expose systemic security weaknesses; they also state they are not a hacker.

Details of CVE-2023-34362 (Source: SOCRadar Vulnerability Intelligence)

For the latest insights into vulnerabilities like CVE-2023-34362 in MOVEit Transfer and emerging threats, SOCRadar’s Vulnerability Intelligence module provides detailed updates on active CVEs and threat trends.

Threat Actor’s Intentions and Approach – A Self-Described Watcher, Not Hacker

In the manifesto we mentioned, which was released alongside the data leak, Nam3L3ss claims they do not actively hack organizations but “simply monitor the dark web and exposed online cloud services.”

Denying the title of ‘hacker’, Nam3L3ss said they target misconfigured and publicly accessible cloud storage services such as AWS buckets, Google Cloud, and FTP servers, along with open databases on platforms like MongoDB.

A manifesto posted by the threat actor along MOVEit data leak posts

The manifesto further notes a blame game, as Nam3L3ss argues that if companies or government agencies fail to secure sensitive information through encryption or other safeguards, they are responsible for any breaches that occur, not their third-parties. They insist they will continue to post any unprotected data they find “until governments take data and PII security seriously.”

In light of the MOVEit data leak, SOCRadar’s Dark Web Monitoring module offers your organization a proactive edge by keeping tabs on such threats on Dark Web forums, markets, and underground networks. With timely alerts, you’ll know immediately if sensitive information or assets tied to your brand surface in Dark Web spaces. Here are the key features of SOCRadar’s Dark Web Monitoring module:

• Instant Threat Alerts: Get notified whenever your organization’s assets are mentioned on the dark web.
• Compromised Credential Detection: Stay aware of exposed credentials linked to your company.
• Early Data Breach Indicators: Spot warning signs to prevent unauthorized access before it becomes a larger issue.

With these capabilities, SOCRadar helps you stay ahead, safeguarding your organization from emerging dark web threats and protecting your brand’s reputation.

Top Companies Impacted by the Recent MOVEit Leaks

Among the compromised organizations, the following companies have the highest number of exposed records, each surpassing 100,000 entries:

These vast datasets expose employee information on a significant scale, underscoring the depth of this latest breach and heightening concerns over potential exploitation, such as phishing, social engineering, and identity fraud.

Insights from the Amazon and HSBC Data Breaches

As the data leaks from Amazon and HSBC have been confirmed, the scope of the exposed information reveals significant internal details about both organizations. Researchers authenticated these datasets by cross-referencing email addresses with LinkedIn profiles and other sources.

It was revealed that HSBC’s dataset spans its global operations, including fields such as user IDs, employee names, email addresses, and location details. In parallel, Amazon’s dataset contains information like employee names, contact details, job titles, and internal department codes—exposing sensitive organizational structures that could be vulnerable to social engineering attacks.

Amazon confirmed the breach on November 11, 2024, clarifying that only work-related contact information was compromised, with no exposure of Social Security numbers (SSNs) or financial data.

Conclusion

The recent MOVEit data leaks pose serious risks for the affected companies, exposing them to potential phishing attacks, fraud schemes, and social engineering tactics that malicious actors can exploit using the stolen employee information. With sensitive internal details such as employee names, contact information, and more now accessible, cybercriminals have the resources needed to craft highly targeted phishing campaigns and impersonation attempts, putting both employees and company data at risk.

The reputational damage following such breaches can be significant. High-profile companies like Amazon and HSBC could face increased scrutiny, as these incidents undermine public trust and raise questions about their data security measures.

To further protect against these risks, companies must employ proactive monitoring and defensive measures. SOCRadar’s Brand Protection service, served under the Digital Risk Protection (DRP) module provides a comprehensive defense, tracking potential impersonators across domains, mobile apps, and social media platforms.

Track phishing and fraud attempts with SOCRadar’s Brand Protection

This tool helps your organization identify fake accounts, phishing schemes, and fraud attempts, as well as neutralize them with the Integrated Takedown feature, reducing the likelihood of successful social engineering attacks. In today’s threat landscape, leveraging these protective measures is essential to maintaining customer trust and resilience against targeted attacks.