Financial software company MeridianLink has confirmed it is dealing with a cyberattack in which the hackers behind it took "extraordinary measures" to force the company to pay a ransom. MeridianLink, which generated more than $76 million in revenue last quarter, provides tools to U.S. banks, credit unions, mortgage lenders and consumer reporting agencies.
This week, the company was listed on the AlphV/BlackCat leak site, a ransomware gang believed to be based in Russia that has been involved in a number of brazen attacks, including against MGM Resorts.
A MeridianLink spokesperson confirmed to RecordedFutureNews that they recently discovered a cybersecurity incident.
"Upon discovery, we took immediate action to contain the threat and engaged a team of third-party experts to investigate the incident. Based on our investigation to date, we have found no evidence of unauthorized access to our production platform, and the incident caused minimal business disruption. If we determine that any consumer personal information was involved in this incident, we will provide notifications as required by law," the spokesperson said.
The attack has piqued the interest of security researchers because the ransomware group AlphV claimed on its "official website" that they had reported MeridianLink to the U.S. Securities and Exchange Commission (SEC) for failing to notify regulators of the incident, which they claimed occurred a week ago and that the victim failed to fulfill its disclosure obligations.
The ransomware gang later shared a photo of a form it sent to the SEC and falsely claimed that MeridianLink violated the SEC's high-profile new reporting rules, when in fact they don't take effect until next month.
If the rule takes effect, the company would be required to report a "significant" cyber incident within four days of discovering it. Companies and cybersecurity executives are still debating what the SEC considers "significant," and the SEC plans to issue more guidance on the term.
But at the Aspen Cyber Forum this week, several government officials confirmed that the rules do not mean reporting an attack four days after it is discovered, but only when an attack is deemed to have a significant impact on a company's bottom line.
An SEC spokesman declined to comment when asked whether the form or MeridianLink was required to report the incident.
The brazen move is the latest extortion tactic used by ransomware gangs who seek to extort ransom from their victims by any means necessary. This summer, another ransomware gang threatened to report companies to European regulators for suspected violations of the General Data Protection Regulation (privacy and data protection laws in the EU have significantly greater consequences than in the United States) if they didn't pay the ransom.
Jim Doggett, CISO of cybersecurity company Semperis, told Recorded Future News that the move, while eye-popping, could make the gang a target for U.S. law enforcement agencies.
"If they want to stay profitable, it wouldn't be wise to attract unnecessary attention," he said.
Ilia Kolochenko, CEO of application security company ImmuniWeb, noted that abuse of the SEC's new rules to put additional pressure on public companies is foreseeable.
"When victims fail to disclose vulnerabilities within the legally mandated time limits, ransomware actors are likely to start filing complaints with other U.S. and EU regulators. Still, not all security incidents are data breaches, and not all data breaches are reportable data breaches," said Kolochenko, who is also an adjunct professor of cybersecurity and law at Capitol Technology University.
"Regulators and authorities should therefore carefully scrutinize such reports and perhaps even establish a new rule to ignore reports that are not substantiated by credible evidence. Otherwise, exaggerated or even outright false complaints will flood their systems with noise and paralyze their work."