The ALPHAV / Blackcat ransomware gang have filed a “Failure to report” complaint with the United States Securities and Exchange Commission (SEC) against one of its own victim companies.
The gang infiltrated the corporate network of financial services supplier MeridianLink in early November although the company initially denied having been compromised.
This denial is what led to ALPHAV submitting the report to the SEC – they posted snapshots of the filing on their dark web blog with a message that the company had 24 hours to resolve the situation, or their data would be released.
Following a number of security incidents at American organisations, the SEC introduced new rules that require publicly traded companies to report any cyberattacks that have a material impact to the operation of the business, i.e. influence investment decisions.
Under the new ruling, which is set to become mandatory on December 15th 2023, incident reporting is “due four business days after a registrant determines that a cybersecurity incident is material,”
A spokesperson for MeridianLink said that “Upon discovery, we acted immediately to contain the threat and engaged a team of third-party experts to investigate the incident,”
“Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption. If we determine that any consumer personal information was involved in this incident, we will provide notifications, as required by law.”