In a move that may set a record for hacking chutzpah, a cyber ransom gang has filed a complaint with the SEC reporting that a company they hacked had failed to report the incident to the SEC within the time required by the agency’s new cybersecurity disclosure guidelines. The gang apparently filed the complaint after the hacked company failed to respond to the hackers’ ransom demand. The hacking incident and the SEC report were first reported in a November 15, 2023, post on the DataBreaches.net site, and further detailed in a November 15, 2023, post on the BleepingComputer.com site.
According to sources, AlphV is a ransomware operation. According to the DataBreaches.net post, on November 15, 2023, AlphV disclosed on its “leak site” that on November 7 they had had exfiltrated data files from the loan originator and digital lending platform MeridianLink. The BleepingComputer.com article reported that in its post on its leak site, AlphV threatened that they would leak allegedly stolen data unless a ransom was paid within 24 hours.
DataBreaches.net reports, apparently based on a direct communication with the ransomware actor, that the ransomware actor said that “it appears that MeridianLink reached out [to AlphV] but we are yet to receive a message on their end” to negotiate a payment for not leaking the supposedly stolen data.
The SEC Complaint
As the BleepingComputer post put it, “the alleged lack of a response from the company likely prompted the hackers to exert more pressure” by sending a complaint to the SEC, calling the company out for not disclosing that the hackers had breached the company’s system in a way that impacted “customer data and operational information.” AlphV also reported its SEC complaint on its leak site, in an item entitled “MeridianLink fails to file with the SEC … so we do it for them + 24 hours to pay.”
AlphV posted an image of their SEC report on their leak site; DataBreaches.net reproduced the image in its blog post, and I have copied the image of the report below.
The AlphV SEC complaint states: “We want to bring to your attention a concerning issue regarding MeridianLink’s compliance with the recently adopted cybersecurity incident disclosure rules.
“It has come to our attention that MeridianLink, in light of a significant breach comprising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K with the stipulated four business days, as mandated by the new SEC rules.”
AlphV apparently also reproduced on its site the automated receipt the SEC generated for the complaint submission; DataBreaches.net reproduce the receipt image on its site, and I have copied it below.
DataBreaches.net apparently contacted MeridianLink about the incident and their incident response. MeridianLink reportedly responded as follows: “Safeguarding our customers’ and partners’ information is something we take seriously. MeridianLink recently identified a cybersecurity incident that took place on Nov. 10. Upon discovery the same day, we acted immediately to containthe threat and engaged a team of third-party experts to investigate the incident. Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption. We have no further details to offer currently, as our investigation is ongoing.”
Although you do have to be impressed with hackers’ sheer audacity in filing the non-disclosure complaint with the SEC, the hackers’ allegations are faulty in two ways
First, the hackers alleged that MeridianLink violated the cybersecurity disclosure guidelines by failing to make the requisite disclosure under Item 1.05 of Form 8-K within the stipulate four business days. However, the cybersecurity incident current report disclosure obligation of Item 1.05 does not go into effect until December 18, 2023, and the current reporting obligation does not go into effect for smaller reporting companies until June 15, 2024. (For further detail about the effective dates of the new cybersecurity disclosure rules, refer here.)
Second, even if the disclosure requirement were otherwise in effect, it may or may not have been triggered here. The new rules state that the cyber incident reporting is “due four business days after a registrant determines that a cybersecurity incident is material.” (Companies cannot “unreasonably delay” the determination that they need to disclose an incident.)
While the hackers in their SEC complaint described the incident as constituting a “significant breach,” MeridianLink’s description of the incident in its statement to DataBreaches.net stated that the company had “identified no evidence of unauthorized access to our production platforms, and the incident has cause minimal business interruption.” MeridianLink may well contend that it has made no determination that the incident was “material,” and therefor that the four-day reporting period was not even triggered.
It could be argued that the AlphV’s filing of the SEC complaint is just a publicity stunt, and that is probably true at some level. In its November 18, 2023 article about the MeridianLink cyber ransom incident, the Wall Street Journal quotes a cybersecurity expert as saying about AlphV’s SEC complaint that “This is just a new way of applying pressure to companies to get them to comply.”
Just the same, the sequence of events does show the challenges companies face in dealing with cybersecurity issues. Even if the filing of the complaint is just a stunt, it does highlight the regulatory challenges that companies face when dealing with cybersecurity incidents. The Journal article also quotes a cybersecurity attorney as saying that “Now the bad guys are recognizing that the U.S. regulatory landscape is becoming acutely more dangerous for companies.”
I will say that evaluating the SEC complaint ploy as a publicity stunt, you have to give the hackers some credit; they managed to get themselves (and their breach) into the Wall Street Journal.