Dental benefits group notifying almost 7 million Americans of MOVEit data theft

Almost 7 million U.S. residents are being notified by a dental benefits provider that their personal information was stolen in one of the biggest single attacks involving the MOVEit file transfer application.

Delta Dental of California and its affiliates, which provide dental benefits to individuals through commercial groups, said the attacker copied subscribers’ names, Delta financial account number or their credit/debit card numbers, along with security access codes, passwords or PIN numbers with the accounts. Passport numbers in some cases were also copied.

According to numbers tracked by Emsisoft, this is the third biggest publicly confirmed data theft from an individual company so far. The biggest is Maximus Inc., a U.S. government services provider, which said information on 11.3 million people was stolen from its MOVEit Transfer system.

The Clop/Cl0p ransomware gang has taken credit for discovering and exploiting a zero day vulnerability allowing it to bypass multifactor authentication on both on-premises and cloud versions of Progress Software’s MOVEit application.

The vulnerability, CVE-2023-34362, has been assigned a severity rating of 9.8 out of 10. 

U.S.-based organizations account for 78.4 per cent of known victims, Emsisoft says, Canada-based 13.8 percent and Germany-based 1.4 per cent. The most heavily impacted sectors are education (40.0 percent), health (19.6 percent), and finance and professional services (12.7 percent).

According to researchers at Kroll LLC, the most common technique of compromise involved a dropped web shell to inject a session or create a malicious account. From there, threat actors were able to reauthenticate and use the MOVEit application itself to transfer files.

However, in a few instances, the attacker passed three variables to the web shell: The organization ID, the folder ID and the file name. From there, the web shell utilized MOVEit API calls for file enumeration and data exfiltration. A Python script was used exfiltrate data during the initial wave of co-ordinated and largely automated attacks across MOVEit servers.

Kroll forensic analysis has also seen activity suggesting the Clop gang was likely experimenting with ways to exploit this particular vulnerability as far back as 2021.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.