Group files complaint with SEC about unreported breach by victim

The ALPHV/BlackCat ransomware group has taken extortion to a new level by filing a complaint with the U.S. Securities and Exchange Commission (SEC) against one of its alleged victims for failing to comply with the requirement that cyberattacks must be reported to the agency within four days.

The BlackCat gang listed software provider MeridianLink in its data leak with the threat that it would leak data allegedly stolen from the company unless a ransom was paid within 24 hours. MeridianLink is a publicly traded company that provides digital solutions for financial organizations such as banks, credit unions and mortgage lenders.

According to DataBreaches.net, the gang said they breached MeridianLink’s network on November 7 and stole data from the company without encrypting the systems. The ransomware operators said that “it appears that MeridianLink has reached out, but we have not yet received a message regarding its termination” to negotiate a payment in exchange for not leaking the data.

The company’s alleged lack of response likely led hackers to exert more pressure by submitting a complaint to the SEC about MeridianLink failing to disclose the cybersecurity incident that impacted “customer data and operational information.”

To show that your complaint is real, BlackCat posted a screenshot of the form you filled out on the SEC’s “Tips, Complaints and Referrals” page on its website. In its own words, the group told the SEC that MeridianLink suffered a “significant breach” and failed to disclose it as required on Form 8-K under Item 1.05.

Following a spate of security incidents at US organizations, the SEC adopted new rules that require publicly traded companies to report cyberattacks that have a material impact, i.e. influence investment decisions. Reporting cybersecurity incidents “must be done within four business days after the incident, according to the new rule. In fact, the SEC’s new cybersecurity rules are set to take effect on December 15, Reuters explained in early October.

BlackCat gang also provided on its website the response it received from the SEC to the complaint against MeridianLink, to show that the submission was received.

MeridianLink, however, told international media that after identifying the incident, it acted immediately to contain the threat and hired a team of third-party experts to investigate. The company added that it is still working to determine whether any consumer personal information was impacted by the cyberattack and that it will notify affected parties if so.

While many ransomware and extortion gangs have threatened to report breaches and data theft to the SEC, this is the first time a cybercrime group has done so. Previously, ransomware operators exerted pressure on victims by contacting customers to inform them of the intrusion. Sometimes they would also try to intimidate the victim by contacting them directly by phone.