BlackCat SEC Complaint Against MeridianLink For Non-Disclosure Of Cyberattack


In a move that blurs the lines between cybercrime and regulatory action, the ALPHV/BlackCat ransomware group has reportedly taken an extraordinary step by filing a complaint with the U.S. Securities and Exchange Commission (SEC) against MeridianLink.

ALPHV/BlackCat SEC complaint against MeridianLink alleges that MeridianLink, a prominent technology firm, failed to disclose a significant cybersecurity incident to its stakeholders, marking a rare instance where cybercriminals have directly engaged with regulatory authorities.

Following the breach on November 7, the ransomware group had listed MeridianLink on their data leak platform, issuing a 24-hour ultimatum to pay the ransom or face exposure of the purportedly stolen data.

Notably, the hackers asserted that they accessed MeridianLink’s data without resorting to system encryption, a claim that further complicates the cybersecurity incident.

ALPHV/BlackCat SEC Complaint Against MeridianLink

ALPHV claimed that their attempts to negotiate with MeridianLink went unanswered, leading them to take the unprecedented action of filing an SEC complaint.

In the complaint, they accused MeridianLink of failing to inform the public about a cybersecurity incident that compromised customer data and operational information.

This tactic by ALPHV is being viewed by some experts as a strategic maneuver, potentially representing a form of triple extortion in the cybercrime landscape.

Cyber Extortion

To substantiate their claim, ALPHV published a screenshot on their website of the SEC complaint submission, filled out on the SEC’s Tips, Complaints, and Referrals page. The hacker collective informed the SEC that MeridianLink suffered a “significant breach” and failed to disclose it as required by Form 8-K, under Item 1.05.

SEC’s New Rules 

With the SEC’s upcoming rules, effective December 15, 2023, requiring publicly traded companies to disclose materially impactful cyberattacks within a four-day window, ALPHV’s complaint puts MeridianLink’s adherence to these new regulations into question.

ALPHV/BlackCat SEC complaint against MeridianLink directly challenges whether the company has complied with the impending reporting mandate.

The move by the ransomware gang marks a new frontier in cyber extortion, as it may be the first public confirmation of a threat group reporting a cyberattack to the SEC. The cybersecurity community awaits the SEC’s response to this unprecedented situation and the potential implications for future ransomware attacks.

The situation also prompts questions about the SEC’s approach to handling detailed breach reports submitted by threat groups, especially in the context of the upcoming cybersecurity regulations. It highlights the challenges of assessing the credibility and impact of such information when reported by the perpetrators themselves.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.





Source link