The ALPHV ransomware gang is a notorious cybercriminal group that has been targeting various organizations with data theft and extortion schemes. One of their recent victims is MeridianLink, a software company that provides digital solutions for financial organizations such as banks, credit unions, and mortgage lenders. MeridianLink is a publicly traded company on the Nasdaq stock exchange, which makes it subject to the regulations of the U.S. Securities and Exchange Commission (SEC).
On November 7, 2023, the ALPHV gang claimed that they breached MeridianLink’s network and stole two terabytes of sensitive data, including information belonging to the SEC, the Department of Defense, the FBI, and other agencies¹². The hackers did not encrypt the company’s systems, but instead threatened to leak the data on their dark web site unless MeridianLink paid a ransom within 24 hours³. However, MeridianLink did not respond to the hackers’ demands, nor did it disclose the cyberattack to the public or the SEC as required by law⁴.
The SEC is the federal agency that oversees the securities markets and protects investors from fraud and abuse. The SEC has recently adopted new rules that require publicly traded companies to report cyberattacks that have a material impact on their business operations, financial condition, or investor confidence. The new rules are based on the principle that cyberattacks are a significant risk factor that investors should be aware of when making investment decisions. The new rules also aim to deter cybercriminals from targeting publicly traded companies by increasing the legal consequences of their actions.
According to the new rules, publicly traded companies must file a Form 8-K with the SEC within four business days after they determine that a cyberattack is material. A Form 8-K is a report that provides current information about major events that affect a company, such as mergers, acquisitions, bankruptcies, changes in management, or cyberattacks. The Form 8-K must include a description of the cyberattack, its impact, the company’s response, and any remediation measures taken or planned. The new rules also require companies to update their Form 8-K if there are any material changes or developments related to the cyberattack.
The new rules are set to take effect on December 15, 2023, but the SEC expects companies to comply with them voluntarily before then. The SEC also encourages companies to report cyberattacks to law enforcement authorities and cooperate with their investigations. The SEC has the authority to enforce the new rules and impose sanctions on companies that fail to comply with them. The sanctions may include fines, injunctions, cease-and-desist orders, or criminal charges.
The ALPHV gang, apparently aware of the new rules, decided to put more pressure on MeridianLink by filing a complaint with the SEC, accusing the company of violating the four-day rule to disclose a cyberattack⁴. The hackers posted a screenshot of the complaint form on their site, showing that they reported MeridianLink for failing to disclose a “significant breach” that impacted “customer data and operational information”. The hackers also posted a screenshot of the email they received from the SEC, confirming that the complaint was received and assigned a case number.
The hackers’ complaint to the SEC is an unusual and ironic move, as it exposes their own illegal activity and identity to the authorities. It is unclear what the hackers hoped to achieve by snitching on MeridianLink, but it may have been an attempt to intimidate the company, damage its reputation, or trigger an SEC investigation that could result in penalties or lawsuits for the company. However, the hackers’ complaint may also backfire, as it could draw more attention and resources from the SEC and other law enforcement agencies to track down and arrest the hackers.
The cyberattack on MeridianLink and the hackers’ complaint to the SEC are examples of the growing sophistication and audacity of ransomware gangs, who are constantly looking for new ways to extort money and cause disruption to their targets. The incident also highlights the importance of cybersecurity and incident reporting for publicly traded companies, who face increasing regulatory and legal obligations to protect their data and inform their investors and stakeholders of any cyber threats that may affect their business.