On Nov. 10, MeridianLink discovered a threat actor’s access to a non-privileged user account, according to a statement on the digital lending software company’s website. While a breach like this is not novel, the ransomware group behind the attack made an attention-grabbing move. ALPHV filed a formal complaint with the US Securities and Exchange Commission (SEC), calling MeridianLink out for not disclosing the breach.
The attack took place on Nov. 7, and the ransomware group exfiltrated data, rather than encrypting it, according to databreaches.net. An insider with ALPHV told databreaches.net that MeridianLink was aware of the attack the day that it happened.
The SEC’s new data breach disclosure rule is not set to go into effect until December, but ALPHV’s complaint with the regulatory body may be a new tactic that threat actors adopt as they continue to attack and exploit victims. How should cybersecurity leaders and other enterprise executives be preparing for this possibility?
Read the rest of the story from Information Week here.