ALPHV ransomware group files SEC complaint against victim

Ransomware mockup of a red neon motherboard with a floating triangular warning sign denoting danger

(Image credit: Getty Images)

The ALPHV ransomware group has filed a complaint with the US Securities and Exchange Commission (SEC) amid claims that a victim organization failed to disclose a security breach.

ALPHV claims that MeridianLink, a digital solutions provider for financial services institutions, did not comply with SEC regulations stating an organization must disclose a cyber attack within four working days.

The ransomware group added MeridianLink to its victim list leak site this week after an alleged successful attack against the company on 7 November, giving the firm 24 hours to comply with a ransom demand.

ALPHV said that no files were encrypted in the attack, but it did exfiltrate company data.

A copy of the SEC filing shared with DataBreaches suggests MeridianLink failed to adhere to disclosure rules in the wake of the breach, which require a company to disclose an incident through a Form 8-K with the regulator.

A CGI image of a glowing blue padlock made of energy representing zero trust network security, surrounded with glowing points representing a network. — (Image credit: Getty Images)

US-led coalition of nations agrees to end ransomware payments to hackers Software vulnerabilities are declining, but third-party risks still linger Ragnar Locker “likely to rebrand” in wake of takedown

The new four-day disclosure rule was announced by the SEC in July 2023 in a bid to improve data breach reporting for US organizations. The new guidelines aren’t set to come into force until December, however.

“We want to bring to your attention a concerning issue regarding MeridianLink’s compliance with the recently adopted cybersecurity incident disclosure rules,” the ALPHV complaint reads.

“It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules.”

RELATED RESOURCE

Whitepaper cover with cartoon image of female wheel chair user talking to a man wearing a cap, with another man lifting a message bubble onto a phone screen — (Image credit: ServiceNow)

Learn about the latest cyberthreats

DOWNLOAD NOW

ALPHV told DataBreaches that an individual from MeridianLink had reached out to the group in the wake of the breach, but talks went cold. The group further alleges that the solutions provider “patched the way used to get in” after the group’s threat was issued.

In response to the filing, MeridianLink told the publication it “acted immediately to contain the threat” and has since engaged with third-party security experts to investigate the incident.

“We have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption.”

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.