The US Securities and Exchange Commission (SEC) has received a complaint from a well-known ransomware group alleging that a victim failed to notify of a purported data breach that was the consequence of an attack carried out by the cybercrime gang itself.
The systems of MeridianLink, a California-based business that offers digital lending solutions for financial institutions and data verification services for consumers, are allegedly compromised by the ransomware groups known as Alphv and BlackCat.
The cybercriminals assert that they have taken a large quantity of MeridianLink’s customer and operational data, and they are threatening to release it unless they get a ransom.
As per the criteria issued by the agency in July, MeridianLink was supposed to notify the breach within four business days. MeridianLink is accused of failing to do so, and the hostile hackers claim to have filed a complaint with the SEC against the company in an apparent attempt to boost their chances of getting compensated.
On November 15, BlackCat released screenshots from their leak website demonstrating that the SEC had received and filed the complaint.
It seems that this is the first time an SEC complaint has been made against a victim by a ransomware outfit.
The hackers told DataBreaches.net that they carried out the attack on MeridianLink on November 7 and that day it was found. According to them, the attack was solely data theft and had nothing to do with ransomware that encrypts files.
MeridianLink, however, informed DataBreaches.net that the hack happened on November 10.
“We took rapid action to contain the threat upon discovering that same day, and we assembled a group of outside experts to look into the issue. The company stated that it cannot release more information since it is still conducting an investigation. “Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption,” the statement read.
It’s important to note that the new SEC regulations pertaining to data breach disclosure won’t take effect until mid-December 2023. Furthermore, as per MeridianLink’s statement, corporations are yet to notify the SEC of a cybersecurity event that they believe is relevant to investors, despite being obligated to do so within four business days.
One of the most active ransomware groups is BlackCat, and the gang frequently tries novel approaches to persuade victims to pay up, such as creating personal leak websites for each victim.