A threat actor who goes by the online moniker “Nam3L3ss” has leaked employee data belonging to a number of corporations – including Amazon, 3M, HSBC and HP – ostensibly compromised during the May 2023 MOVEit hack by the Cl0p ransomware gang, which affected British Airways, the BBC, Aer Lingus, Boots. Zellis, and others.
Nam3L3ss’ post leaking Amazon employee data (Source: Hudson Rock)
More data leaks announced
“The stolen data, which dates back to May 2023, includes employee directories from 25 major organizations,” Alon Gal, CTO of cybercrime intelligence company Hudson Rock, shared.
Here’s the list of affected companies, along with the number of compromised / leaked records (as stated by the threat actor on BreachForums):
- Amazon — 2,861,111 records
- MetLife — 585,130 records
- Cardinal Health — 407,437 records
- HSBC — 280,693 records
- Fidelity (fmr.com) — 124,464 records
- U.S. Bank — 114,076 records
- HP — 104,119 records
- Canada Post — 69,860 records
- Delta Airlines — 57,317 records
- Applied Materials (AMAT) — 53,170 records
- Leidos — 52,610 records
- Charles Schwab — 49,356 records
- 3M — 48,630 records
- Lenovo — 45,522 records
- Bristol Myers Squibb — 37,497 records
- Omnicom Group — 37,320 records
- TIAA — 23,857 records
- Union Bank of Switzerland (UBS) — 20,462 records
- Westinghouse — 18,193 records
- Urban Outfitters (URBN) — 17,553 records
- Rush University — 15,853 records
- British Telecom (BT) — 15,347 records
- Firmenich — 13,248 records
- City National Bank (CNB) — 9,358 records
- McDonald’s — 3,295 records
Hudson Rock researcher contacted Nam3L3ss, who said that they would leak more data in the following days.
“Researchers can’t yet confirm whether the data came from CL0P, affiliates of it, or whether Nam3L3ss exploited these companies on their own,” Gal added.
Amazon confirms data leak
Hudson Rock has cross-referenced emails from the Amazon and HSBC datasets to Linkedin profiles of employees, as well as to emails found in infostealer infections involving employees of those companies, and have confirmed that the leaked data is authentic.
Amazon has confirmed it as well. Spokesperson Adam Montgomery has told the media that the leaked data includes employee work contact information – e.g., work email addresses, desk phone numbers, and building locations – and that it wasn’t sourced from Amazon, but from one of the company’s property management vendors.
According to the VX-Underground collective, the leaked Amazon data set contains employee information, but also details about Amazon physical locations and related costs.
“None of the data (as we’ve seen thus far) contains customer information,” Hudson Rock said, but the detailed employee information can be misused by a various threat actor to mount fraudulent schemes and extremely personalized phishing and social engineering attacks against the affected companies, as well as perform indentity theft.