According to the organization, the ALPHV ransomware struck MeridianLink’s network on November 7 and took files.
Even though there was no encryption, the organization asserts that MeridianLink knew about the hack. Though the assailants and the business did communicate, no ransom was ever paid.
At this point, it sounds a lot like other ransomware assaults that are happening right now. What the ransomware perpetrators did after that, though, was completely out of the ordinary.
After noticing that publicly traded MeridianLink had not notified the SEC of a cybersecurity problem within the statutory four-day limit, ALPHV took a novel approach by reporting the firm to the SEC.
This was reportedly accomplished using the SEC’s tips, complaints, and referrals page, a system that allows employees to report suspected misconduct, according to news outlets covering the issue.
Individuals Convicted of Extortion Became Whistleblowers?
Although it’s not often that extortion criminals are considered whistleblowers, they took it upon themselves in this case. According to ALPHV’s “complaint” filed with the SEC:
Concerning MeridianLink’s compliance with the recently implemented cybersecurity incident disclosure standards is something we would like to bring to your notice.
We have learned that MeridianLink did not comply with the new SEC regulations and submit the required notification under Item 1.05 of Form 8-K within the four business days, despite a major breach that compromised customer data and operational information.
Keep an eye out for the words “as mandated by the new SEC rules.” It is evident that these lawbreakers are aware of the regulations and believe they can identify a reporting error when they encounter one.
In reality, the requirements mentioned in this statement do not take effect until December 18. Following that date, all publicly traded firms in the US, with the exception of the smallest ones, will actually be required to disclose any cybersecurity events that are considered “material” to the SEC within four days.
Cost-Free Advertising
No consequences are expected to be imposed on MeridianLink, even if the group’s claim is true. MeridianLink has stated that it has discovered “no evidence of unauthorized access to our production platform,” thus there is nothing to disclose.
A sense of impending doom spread throughout the boardrooms of impacted corporations when the SEC released its final version of the regulations in July. However, businesses still haven’t figured out how the regulations apply in various situations. That’s because it’s not always clear what counts as “material” and so requires reporting.
The SEC regulations will most likely not be used as a tool by ransomware gangs to coerce victims into paying ransom. First, the potential SEC fines for a reportable occurrence much outweigh the ransom that a corporation would pay to keep it under wraps.
To add insult to injury, no business is likely to pay in the allotted four days, even if they were willing to. Large firms seldom engage in ransom discussions in a timely manner. In a twist of fate, the threat to sue a corporation might actually make them more compliant with the regulations, rather than being a cunning new method of getting victims to pay up. Such useful and attention-grabbing exposure would be great if every new regulatory system could get it.
