Alphv and BlackCat, a notorious ransomware group, claim to have breached the systems of MeridianLink, a California-based company providing digital lending and consumer data verification solutions. The cybercriminals assert they’ve obtained substantial customer data and operational information, threatening to leak it unless a ransom is paid.
In an unprecedented move, the hackers allege they’ve lodged a complaint with the SEC against MeridianLink for failing to disclose the breach within four business days, as mandated by new agency rules introduced in July.
Screenshots published by BlackCat on November 15 purportedly display the filed complaint with the SEC, marking the first instance of a ransomware group initiating such action against a victim.
The attack, reportedly focused on data theft and not file-encrypting ransomware, allegedly occurred on November 7, according to the hackers. However, MeridianLink contends that the intrusion was identified on November 10.
MeridianLink responded to the allegations, stating immediate action upon discovery to contain the threat and engage third-party experts for investigation. They assert minimal business disruption and no evidence of unauthorized access to production platforms, citing an ongoing investigation as reason for withholding further details.
It’s essential to note that the new SEC disclosure rules concerning data breaches will come into effect in mid-December 2023, necessitating companies to notify the SEC within four business days of deeming a cybersecurity incident material to investors—a step yet to be taken by MeridianLink as per their statement.
When approached, an SEC spokesperson declined to comment on the matter.
BlackCat, known for innovative tactics to pressure targets into compliance, including dedicated leak websites for individual victims, remains active in ransomware operations.
