MOVEit Data Breach Analysis: How Cl0p Exfiltrated Data from 2,600+ Organisations

How the MOVEit Attack Worked

Cl0p identified and weaponised CVE-2023-34362 — a SQL injection vulnerability in MOVEit Transfer's web application — before Progress Software knew it existed. The group deployed a custom web shell named LEMURLOOT to compromised MOVEit servers, which allowed them to enumerate databases, extract credentials, and exfiltrate files in bulk. The attack was automated at scale: Cl0p had pre-staged infrastructure to receive stolen data from hundreds of targets simultaneously. Victims had no warning. By the time Progress issued an emergency patch on May 31, 2023, Cl0p had already completed data extraction from the majority of their targets.

• May 27, 2023: Cl0p begins mass exploitation of MOVEit Transfer instances globally
• May 31, 2023: Progress Software issues emergency patch for CVE-2023-34362
• June 6, 2023: Cl0p begins posting victim names on their dark web leak site
• June–October 2023: Rolling disclosures as organisations confirm data exposure
• Total estimated victims: 2,620+ organisations, 77+ million individuals affected

Why No Encryption Was Needed

MOVEit represented a strategic shift in ransomware economics. Traditional ransomware encrypts files and demands payment for decryption keys — but encryption is noisy, triggers endpoint detection tools, and gives victims the option of restoring from backups. Cl0p bypassed all of this by focusing exclusively on data exfiltration. The stolen data itself became the leverage: pay us or we publish your customer records, employee data, and confidential documents. This model has lower operational risk for the attacker, higher success rates for extortion, and is significantly harder for defenders to detect because file transfer looks like normal business activity.

The Scale of Damage

The MOVEit breach affected organisations across every sector. BBC lost employee personal data. British Airways and Boots had payroll data exposed through their payroll provider Zellis. Ernst & Young lost client audit documents. The US Department of Energy confirmed data exposure at two facilities. Shell confirmed employee data theft. The total financial impact across all victims is estimated to exceed $10 billion when combining regulatory fines, remediation costs, legal settlements, and reputational damage. IBM's 2024 Cost of a Data Breach Report cited MOVEit as evidence that supply chain attacks now represent the most expensive category of breach.

• BBC: employee personal data including names, dates of birth, National Insurance numbers
• British Airways: payroll data for all UK employees via Zellis
• Boots: employee payroll data via Zellis
• Ernst & Young: client audit and financial documents
• US Department of Energy: data from Oak Ridge and Waste Isolation Pilot Plant facilities
• Shell: employee personal data across multiple countries

How Anti-Data Exfiltration Would Have Changed the Outcome

MOVEit exposed a fundamental gap in enterprise security: most organisations had firewalls, endpoint detection, and intrusion prevention systems — yet none of these stopped data from leaving. The attack succeeded because traditional security focuses on keeping attackers out, not preventing data from being extracted once they are in. BlackFog's anti-data exfiltration (ADX) technology operates at the network layer on every endpoint, blocking unauthorised outbound data transfers in real time. Even if Cl0p had compromised a MOVEit server in a BlackFog-protected environment, the bulk data transfers to Cl0p's infrastructure would have been identified and blocked before exfiltration completed.

Frequently Asked Questions