Hackers use a new SEC rule to snitch on the company they infiltrated
New regulations will require companies to disclose breaches within four business days.
A hacking group deployed a surprising tactic after infiltrating a financial software company’s network. They reported the breach to the US Securities and Exchange Commission (SEC).
DataBreaches.net initially reported on the incident, which was conducted by ALPHV / BlackCat, a group known for breaching entities as diverse as MGM Resorts and Reddit. The hackers reportedly infiltrated the servers of fintech company MeridianLink on November 7, stealing company data without encrypting it. However, when the business neglected to negotiate directly, the hackers increased the pressure by filing a report with the SEC.
They did so citing a new rule the SEC passed this summer, which requires companies falling victim to “material cybersecurity incidents” to report them to the agency within four business days.
However, the four-day requirement may not have taken effect yet. At least one official form claims the rule kicked in 90 days after the date of publication in the Federal Register (they appear to have been published on August 4, making that alleged effective date November 2) or December 18. But the Federal Register document says, “With respect to compliance with the incident disclosure requirements in Item 1.05 of Form 8–K and in Form 6–K [the part referring to the four-day requirement], all registrants other than smaller reporting companies must begin complying on December 18, 2023.” Adding to the confusion, Reuters reported in October that the rule takes effect on December 15.
Engadget reached out to the SEC to clarify whether the rule is active yet. We’ll update this article if we hear back.
MeridianLink told BleepingComputer that it quickly worked to contain the threat. “Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption,” the company wrote. The company says it’s still trying to determine if any consumer personal information was breached, promising to notify affected parties if it was.
Whether the SEC has any teeth (or desire) to do anything about MeridianLink’s failure to report the incident in four business days, the rule could, ironically, serve as a new tool for cyber attackers. Rather than contacting customers or making calls to tighten the grip and pressure companies to comply with their demands, perhaps they can now simply rat them out to Uncle Sam.