MOVEit, the biggest hack of the year, by the numbers

The unprecedented exploitation of MOVEit Transfer software has swiftly solidified its status as the most significant breach of the year thus far. While the full extent of the attack’s impact may remain undisclosed for several months, cybersecurity firm Emsisoft reports that the MOVEit breach has already affected over 1,000 known victims. This milestone not only crowns the MOVEit breach as the largest hack of 2023 but also places it among the most substantial in recent history.

The fallout began in May when Progress discovered a zero-day vulnerability in MOVEit Transfer, its widely-used managed file transfer service that facilitates the secure movement of large amounts of sensitive data over the internet. This critical-rated vulnerability granted attackers, specifically the notorious Clop ransomware and extortion gang, unauthorized access to MOVEit Transfer servers, enabling them to pilfer customers’ confidential information.

Since then, Clop’s relentless attacks and threats to expose the stolen data have persisted, resulting in an escalating number of victim organizations, affected individuals, and the consequent costs associated with this fallout. In this analysis, we delve into the staggering impact of the MOVEit mass hack.


On August 25, as the count of victim organizations surpassed 1,000, the number of affected individuals also crossed the 60 million mark. This data, provided by Emsisoft, is derived from state breach notifications, SEC regulatory filings, and other public disclosures. Emsisoft highlights the possibility of some overlap in terms of impacted individuals, anticipating further increases as more organizations confirm MOVEit-related data breaches.


According to researchers at Emsisoft, organizations based in the United States make up a significant majority (83.9%) of known victims of MOVEit. German organizations account for approximately 3.6% of total victims, followed by Canadian companies at 2.6% and United Kingdom firms at 2.1%.

11 million

In, Maximus, a contracting giant for U.S. government services, suffered the largest breach in the history of MOVEit. The company confirmed that hackers had gained access to the protected health information of up to 11 million individuals, including their Social Security numbers. At that time, the exact number of affected individuals had not been determined.

The magnitude of this incident is closely followed by the breach of Pôle emploi, the French government’s unemployment agency. They recently confirmed a breach that exposed the personal data of up to 10 million people. This makes Pôle emploi the second-largest known victim of this mass-hack.

Completing the list of top five MOVEit victims are the Louisiana Office of Motor Vehicles with 6 million affected individuals, the Colorado Department of Health Care Policy and Financing with 4 million, and the Oregon Department of Transportation with 3.5 million.


According to security analysis firm Censys, approximately one-third of the vulnerable MOVEit servers in operation during the mass-hacks belonged to financial service-related organizations. The firm’s report, which examined 1,400 openly accessible MOVEit servers on the internet, indicated that 15.96% of the servers were affiliated with the healthcare sector, 8.92% were associated with information technology organizations, and 7.5% were attributed to government and military entities.


Based on data from IBM, the estimated total cost of the MOVEit mass-hacks is now available. It’s worth noting that last year’s average data breach cost $165, and this number is coupled with the confirmed count of impacted individuals.

However, Emsisoft points out that only a few corporate victims have reported the number of affected individuals so far. According to them, if we were to scale this number, the cost would exceed $65 billion to date.


According to researchers, it is believed that Clop may have been silently exploiting its MOVEit vulnerability since 2021. In a report by the U.S. risk consulting firm, Kroll, it was revealed that although news of this vulnerability surfaced in late May, Kroll researchers identified activities suggesting that Clop had been experimenting with exploiting this weakness for nearly two years.

Kroll states, “It seems that the threat actors behind Clop had already perfected the MOVEit Transfer exploit during the time of the GoAnywhere incident and deliberately executed the attacks sequentially rather than simultaneously.”

These findings shed light on the extensive duration and calculated approach employed by Clop, underscoring the importance of staying vigilant against such threats.


The Clop ransomware group has caught the attention of the U.S. State Department, prompting them to offer a substantial $10 million bounty for any information regarding the incident. This comes after the unfortunate compromise of records from various entities within the department during the MOVEit breach.

Adding to the gravity of the situation, the Department of Energy has confirmed to ProWellTech that two of its own entities were among those affected by the breach.


Coveware, a company specializing in ransomware recovery, has estimated the potential earnings of Clop from the MOVEit mass-hacking campaign. Even though this amount comes from only a few victims who succumbed to the hackers’ demands and paid significant ransoms, it is truly astounding and alarming. Coveware compares this sum to the annual offensive security budget of Canada, emphasizing the sheer magnitude of funds controlled by this relatively small group.


Clop allegedly boasts possession of a substantial amount of government data related to government, city, and police services. In a recent post on their dark web leak site, the group claimed that it would “act responsibly” and delete all government-related data. However, the validity of Clop’s claim remains unsupported, and ProWellTech has been unable to verify their assertions. The hackers articulated that their motivations are solely financial.