Nova Scotia’s minister of cyber security and digital solutions, Colton LeBlanc, announced in a press conference yesterday that it is investigating the theft of personal information through a vulnerability in a third-party managed file transfer system. The province was notified of the vulnerability in MOVEit Transfer by the vendor on Jun. 1, and immediately took the system offline to install a security update.
However, late on Jun. 2, it was informed that further investigation was necessary, took the service offline again, and called in security experts.
In a press release issued Sunday, the provincial government said it is working to discover what information was stolen, and how many people were affected.
“Nova Scotians will have questions, and we do, too. Our staff are working hard to figure that out now,” LeBlanc said in the release. “I know this will make some people anxious, at a time when no one needs more anxiety. We will share more information with Nova Scotians as soon as we can.”
MOVEit vendor Progress Software published a security advisory on May 31 about a critical vulnerability that “could lead to escalated privileges and potential unauthorized access to the environment.” It urged users to disable internet traffic to their MOVEit Transfer environments, and to immediately install the security update.
The flaw was originally described as affecting only MOVEit Transfer. MOVEit Cloud was added to the alert on Jun. 4..
TechCrunch reported today that the vulnerability is under active attack and affecting organizations around the world, including British Airways and the BBC, whose payroll support provider, Zellis, uses MOVEit.
Microsoft researchers believe that the Clop ransomware gang is behind the attacks.