Kyanite Blue
Threat Intelligence 7 min read

MOVEit Breach: What UK Businesses Must Learn

Max, Technical Director·10 March 2026

What Happened: The MOVEit Transfer Attack

In May 2023, the Cl0p ransomware gang exploited a zero-day SQL injection vulnerability (CVE-2023-34362) in Progress Software's MOVEit Transfer, a managed file transfer platform used by thousands of organisations globally. The attackers did not deploy ransomware. They did not encrypt a single file. Instead, they mass-exfiltrated data from every vulnerable MOVEit instance they could reach. By the time Progress issued a patch, Cl0p had already stolen data from over 2,600 organisations and more than 95 million individuals had their personal data exposed. The victims included the BBC, British Airways, Boots, Ofcom, Shell, and dozens of NHS trusts.

Why This Attack Was Different

MOVEit was a pure exfiltration attack. Cl0p never encrypted anything — they simply stole data and threatened to publish it unless victims paid. This made traditional ransomware defences (backups, endpoint detection) irrelevant. The attack exploited a zero-day, meaning no signature existed to detect it. It targeted a trusted enterprise tool that organisations had whitelisted in their security policies. The data left through legitimate HTTPS channels, making it invisible to most DLP and firewall systems. This is the template for modern cyber attacks: silent exfiltration through trusted infrastructure.

  • Zero encryption — pure data theft
  • Zero-day vulnerability with no prior signatures
  • Targeted a trusted, whitelisted file transfer tool
  • Data exfiltrated through legitimate HTTPS channels
  • Over 2,600 organisations compromised in weeks

The Supply Chain Amplification Problem

Many MOVEit victims were not running MOVEit themselves. Their data was compromised because a supplier, payroll provider, or benefits administrator used MOVEit. PwC, EY, and Deloitte were affected through their clients' data. Zellis, the UK payroll provider, exposed data from the BBC, BA, and Boots. This is supply chain risk at scale: a single vulnerability in one vendor cascaded to thousands of downstream organisations. Continuous third-party risk monitoring with tools like Panorays would have flagged the exposure before the breach.

Lessons for UK Businesses

First, anti data exfiltration (ADX) must be part of your stack. If BlackFog had been deployed on affected endpoints, the outbound data transfers to Cl0p's infrastructure would have been blocked in real time. Second, annual vendor questionnaires are not enough — you need continuous, automated supply chain risk monitoring. Third, assume every managed file transfer, SaaS tool, and integration is a potential exfiltration vector. The NCSC's post-MOVEit guidance explicitly recommends monitoring outbound data flows, not just inbound threats.

  • Deploy ADX to block unauthorised outbound data transfers
  • Replace annual vendor audits with continuous third-party risk monitoring
  • Audit all managed file transfer platforms for known CVEs
  • Implement zero-trust principles for all data movement
  • Report to the ICO within 72 hours if UK personal data is involved

Frequently Asked Questions

What was the MOVEit Transfer vulnerability?

CVE-2023-34362 was a critical SQL injection vulnerability in Progress Software's MOVEit Transfer product. It allowed unauthenticated attackers to access the database and exfiltrate data. It was exploited as a zero-day by the Cl0p ransomware gang before any patch was available.

How many organisations were affected by the MOVEit breach?

Over 2,600 organisations and more than 95 million individuals were affected globally. UK victims included the BBC, British Airways, Boots, Ofcom, Shell, and multiple NHS trusts.

Could the MOVEit breach have been prevented?

The zero-day itself was difficult to prevent, but the data exfiltration could have been blocked. Anti Data Exfiltration (ADX) technology monitors all outbound data flows and blocks unauthorised transfers regardless of the attack vector. Continuous supply chain risk monitoring would also have flagged MOVEit as a high-risk dependency.

What should I do if my supplier uses MOVEit?

Check with your supplier whether they were affected and whether your data was involved. Review your data processing agreements. Implement continuous third-party risk monitoring to track exposure across your supply chain. Report any UK personal data exposure to the ICO within 72 hours.

moveitcl0psupply chaindata exfiltrationcve-2023-34362

Related articles

Threat Intelligence

Why Data Exfiltration — Not Encryption — Is the Real Ransomware Threat

93% of ransomware attacks now exfiltrate data before deploying encryption. Backups protect against encryption — but nothing in most security stacks prevents the data theft that enables double extortion.

Product News

Supply Chain Cyber Risk: How Panorays Protects Your Business

The MOVEit and SolarWinds breaches proved that your security is only as strong as your weakest vendor. Panorays replaces annual questionnaires with continuous, automated supply chain risk management.

Threat Intelligence

State of Ransomware in the UK: 2026 Report

The NCSC handled 317 significant cyber incidents in 2025, with ransomware remaining the most disruptive threat to UK organisations. Here is the full picture for 2026 planning.

Want to discuss this with our team?

Book a free 20-minute call with David or Max.

Book a call
Back to all posts