In a move that blurs the lines between cybercrime and regulatory action, the ALPHV/BlackCat ransomware group has reportedly taken an extraordinary step by filing a complaint with the U.S. Securities and Exchange Commission (SEC) against MeridianLink.
ALPHV/BlackCat SEC complaint against MeridianLink alleges that MeridianLink, a prominent technology firm, failed to disclose a significant cybersecurity incident to its stakeholders, marking a rare instance where cybercriminals have directly engaged with regulatory authorities.
Following the breach on November 7, the ransomware group had listed MeridianLink on their data leak platform, issuing a 24-hour ultimatum to pay the ransom or face exposure of the purportedly stolen data.
Notably, the hackers asserted that they accessed MeridianLink’s data without resorting to system encryption, a claim that further complicates the cybersecurity incident.
ALPHV/BlackCat SEC Complaint Against MeridianLink
ALPHV claimed that their attempts to negotiate with MeridianLink went unanswered, leading them to take the unprecedented action of filing an SEC complaint.
In the complaint, they accused MeridianLink of failing to inform the public about a cybersecurity incident that compromised customer data and operational information.
This tactic by ALPHV is being viewed by some experts as a strategic maneuver, potentially representing a form of triple extortion in the cybercrime landscape.
To substantiate their claim, ALPHV published a screenshot on their website of the SEC complaint submission, filled out on the SEC’s Tips, Complaints, and Referrals page. The hacker collective informed the SEC that MeridianLink suffered a “significant breach” and failed to disclose it as required by Form 8-K, under Item 1.05.
SEC’s New Rules
With the SEC’s upcoming rules, effective December 15, 2023, requiring publicly traded companies to disclose materially impactful cyberattacks within a four-day window, ALPHV’s complaint puts MeridianLink’s adherence to these new regulations into question.
MeridianLink, in response to inquiries from The Cyber Express, has officially confirmed a recent cybersecurity incident and asserted that swift measures were taken to mitigate the threat.
“MeridianLink recently detected a cybersecurity incident, and safeguarding the information of our customers and partners is of utmost importance to us. Upon discovery, immediate action was taken to contain the threat, and we promptly enlisted the expertise of third-party professionals to conduct a thorough investigation,” stated company officials.
“Based on our current investigation findings, we have not identified any evidence of unauthorized access to our production platforms, and the impact on our business operations has been minimal. If we ascertain that any consumer personal information was compromised in this incident, we commit to providing the necessary notifications as mandated by law. At present, we do not have additional details to share, as our investigation is still in progress,” officials further emphasized.
ALPHV/BlackCat SEC complaint against MeridianLink directly challenges whether the company has complied with the impending reporting mandate.
The move by the ransomware gang marks a new frontier in cyber extortion, as it may be the first public confirmation of a threat group reporting a cyberattack to the SEC. The cybersecurity community awaits the SEC’s response to this unprecedented situation and the potential implications for future ransomware attacks.
The situation also prompts questions about the SEC’s approach to handling detailed breach reports submitted by threat groups, especially in the context of the upcoming cybersecurity regulations. It highlights the challenges of assessing the credibility and impact of such information when reported by the perpetrators themselves.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.