MOVEit and Clop Ransomware: How Multiple UK Universities Had Data Stolen in 2023
In May and June 2023, the Clop ransomware group exploited a critical zero-day SQL injection vulnerability (CVE-2023-34362) in Progress Software's MOVEit Transfer managed file transfer platform. The mass exploitation campaign affected hundreds of organisations globally — including multiple UK universities that used MOVEit directly or through suppliers that used it to transfer data on their behalf. Data was exfiltrated without encryption of systems and without any action required from the victim organisations. UK universities affected included institutions that used MOVEit for secure file transfer with UCAS, NHS partners, local government, and other organisations. The incident became the defining supply chain attack of 2023 and fundamentally changed how education institutions approach third-party risk.
MOVEit/Clop 2023: hundreds of organisations globally had data exfiltrated via a trusted file transfer platform — multiple UK universities affected without being directly attacked.
The MOVEit Vulnerability: How It Worked
CVE-2023-34362 was a SQL injection vulnerability in the MOVEit Transfer web application — a widely used managed file transfer platform deployed by thousands of organisations for secure transfer of sensitive data. The vulnerability allowed unauthenticated attackers to access the MOVEit database, extract stored files, and create backdoor accounts — all without needing credentials. Clop began mass exploitation in late May 2023, running automated attacks against all discoverable MOVEit installations. Because the attack required no user interaction and left minimal logs, many organisations did not discover they had been compromised until Clop began notifying victims — or until the stolen data appeared on Clop's dark web leak site.
UK Universities Affected: Direct and Indirect Exposure
UK universities faced two categories of MOVEit exposure: **Direct exposure**: Universities that operated MOVEit Transfer software on their own infrastructure had data exfiltrated directly. This typically included data being transferred to external partners — NHS, local government, UCAS, research collaborators. **Indirect exposure via suppliers**: Universities whose data was processed by suppliers using MOVEit had data exfiltrated from the supplier's systems — without any vulnerability in university systems themselves. This is the defining characteristic of supply chain attacks: a university's own security posture was irrelevant if a trusted supplier was running vulnerable software. UCAS — the Universities and Colleges Admissions Service — confirmed it was affected by the MOVEit vulnerability. As UCAS processes application data for virtually all UK universities, the potential downstream impact on student data was significant.
Clop: The Threat Actor Behind MOVEit
Clop (also written as Cl0p) is a sophisticated Russian-speaking ransomware group active since 2019. Clop is notable for its focus on exploiting software vulnerabilities for mass supply chain attacks rather than targeting individual organisations directly. Before MOVEit, Clop exploited vulnerabilities in Accellion FTA (2020) and GoAnywhere MFT (2023) with similar mass exploitation campaigns. Clop's MOVEit campaign was its most impactful to date — affecting thousands of organisations including US federal agencies, major corporations, UK universities, and NHS bodies. Clop typically uses data theft and publication threats rather than encryption in supply chain attacks, as the victims' own systems remain operational.
What Universities Should Learn From MOVEit
The MOVEit incident fundamentally challenged assumptions about third-party risk in the education sector: - Vendor security certifications are not sufficient: MOVEit was a commercial, widely-used product — yet it contained a critical zero-day vulnerability - Supply chain risk is not theoretical: data can be exfiltrated from trusted suppliers without any action on the university's part - UCAS and sector-wide platforms create systemic risk: a vulnerability in a platform used by all universities affects all universities - Detection is difficult: universities often did not know they were affected until Clop's notification or data publication - Third-party data inventories are essential: universities need to know what data each supplier holds and whether any data was in scope
Responding to Supply Chain Data Breaches
When a trusted supplier notifies a university of a breach, the response must be rapid: 1. Assess immediately what data was held by the supplier and whether it was in scope of the breach 2. Determine whether personal data (student, staff, or research subject data) was affected 3. If yes, assess the risk to individuals and determine ICO notification obligations (72-hour window) 4. Notify affected individuals where the risk is high 5. Review the Data Processing Agreement with the supplier for breach notification and liability provisions 6. Document all decisions and actions for regulatory purposes 7. Reassess the supplier relationship and whether data sharing should continue
Frequently Asked Questions
Did UK universities have to notify the ICO about the MOVEit breach?
Universities whose data was exfiltrated via MOVEit — whether directly or through a supplier — were required to assess ICO notification obligations. If personal data of students, staff, or research subjects was involved in the breach and the breach was likely to result in risk to individuals, ICO notification within 72 hours was required. Universities affected through UCAS or other sector-wide suppliers needed to assess what data UCAS held on their behalf that may have been affected.
How can universities protect against future MOVEit-style attacks?
No organisation can fully prevent zero-day exploitation of third-party software. However, universities can reduce impact through: maintaining a complete inventory of data held by each third-party supplier; ensuring Data Processing Agreements include breach notification SLAs; monitoring supplier security disclosures and applying patches immediately when vulnerabilities are announced; minimising data shared with suppliers to only what is strictly necessary; and having a tested supply chain breach response procedure.
Is Panorays useful for managing EdTech supplier risk after MOVEit?
Panorays provides continuous security rating monitoring of third-party suppliers — tracking changes in their security posture, disclosed vulnerabilities, and security certifications. For universities managing dozens of EdTech and research data suppliers, Panorays automates the ongoing risk assessment that would otherwise require manual monitoring of each supplier. When a supplier's security rating deteriorates — or a vulnerability is disclosed — Panorays alerts the institution so action can be taken.
Monitor your EdTech suppliers' security posture continuously
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.