MOVEit Attack 2023: What the Largest Supply-Chain Hack of the Year Teaches Us

In May and June 2023, the Russian-speaking hacker group Clop exploited a zero-day vulnerability in MOVEit Transfer, stealing data from an estimated 2,500+ organizations worldwide. The MOVEit attack is the largest supply-chain attack on file transfer software to date – and a lesson in third-party risks.

TL;DR

• Zero-Day in MOVEit Transfer: SQL injection vulnerability (CVE-2023-34362) allowed unauthorized data access.
• Clop group: Russian-speaking ransomware group that focuses on data extortion rather than encryption.
• 2,500+ victims: Including U.S. federal agencies, BBC, British Airways, TK Maxx, and many others.
• No encryption: Clop stole data but did not encrypt it – the attack aimed at extortion through data publication.
• Lesson in third-party risks: Many victims did not operate MOVEit themselves but used it through service providers.

The Attack: Technically Explained

CVE-2023-34362 is an SQL injection vulnerability in the web application of MOVEit Transfer. The Clop group exploited this vulnerability to access the database, exfiltrate data, and leave behind so-called web shells that enable persistent access.

Particularly insidious: Progress Software patched the vulnerability quickly (May 31, 2023), but the attackers had already had access for weeks. Many victims only found out weeks later that they were affected – because MOVEit was running with their service provider.

Why So Many Victims?

MOVEit Transfer is managed file transfer software used by many companies and agencies for secure file support. Crucially: Many of the victims had not installed MOVEit themselves but used it through specialized payroll and HR service providers like Zellis or PBI Research Services.

The classic supply-chain problem: Even if a company has its own IT secure, an attack on a service provider can compromise the same data. British Airways and the BBC were affected because their HR service provider Zellis used MOVEit.

What Companies Must Learn From This

Maintain a third-party inventory: Which service providers have access to sensitive data? What tools do they use? Without this inventory, responding to MOVEit-like incidents is hardly possible.

Contractual obligations: Security incidents must be anchored in SLAs and data processing agreements (AVV) with concrete reporting obligations and response times.

Data minimization: What is not stored or transferred cannot be stolen. The GDPR requirement for data minimization is also a security principle here.

Patch monitoring for suppliers: Critical CVEs in software from key suppliers must be actively monitored – not waited for the service provider to proactively inform.

Key Facts at a Glance

Affected organizations: Approximately 2,500+ worldwide (as of August 2023)

Attackers: Clop (TA505) – Russian-speaking group known for data theft extortion

CVE: CVE-2023-34362 (CVSS 9.8 – critical)

Angriffsmethode: SQL injection → data exfiltration → web shell → extortion

Patch available: May 31, 2023 – but the attack had already occurred

Fact: 77 percent of ransomware victims who paid the ransom were attacked again, according to Cybereason.

Fact: According to the Allianz Risk Barometer 2025, cyberattacks are the greatest business risk worldwide.

Frequently Asked Questions

What is MOVEit Transfer?

MOVEit Transfer is a managed file transfer solution from Progress Software used by companies and agencies for secure, traceable file support. It is widely used enterprise software.

How can you check if you are affected?

Check if MOVEit Transfer is used directly or through service providers. Progress has published Indicators of Compromise (IoCs). CISA also offers guidance. Affected service providers should actively provide information.

Did Clop demand ransom?

Clop operates without classic ransomware encryption – instead, they threaten to publish the stolen data. Companies were asked to contact them; otherwise, the data will be published on the Clop leak site.

Are GDPR reporting obligations relevant?

Yes. In the event of data breaches affecting personal data, the 72-hour reporting obligation to the supervisory authority applies. Affected companies must check whether and which personal data has been leaked.

How do you protect against similar attacks?

Build third-party risk management, maintain a software inventory of all service providers, actively monitor critical CVEs, and include contractual reporting obligations in all service provider contracts.

Further Articles on the Topic

→ Supply Chain Security 2026: How Companies Protect Their Software Supply Chain

→ Third-Party Risk Management: The Risk Lurks Everywhere

Further Reading in the Network

Cloud Security Current: cloudmagazin.com

IT Risks for Executives: digital-chiefs.de

Related Articles

• Ransomware 2026: Incident Response in the First 60 Minutes
• Cybersecurity 2025: The Year in Review – Incidents, Trends, Lessons
• Ransomware 2024: New Tactics, Bigger Targets, Harder Negotiations

Header Image Source: Pexels / Tima Miroshnichenko

About the author: Benedikt Langer

More articles by Benedikt Langer