The ALPHV/BlackCat ransomware group has delivered a low-blow to one of its victims, informing the U.S. Securities and Exchange Commission (SEC) that the company affected failed to disclose the data breach within the required four-day window.
The victim is a company called MeridianLink, which is a publicly traded entity that provides a loan origination system and digital lending platform to financial institutions.
It’s thought that the disclosure of the breach by the Blackcat/ALPHV group was due to an lack of compliance by the victim with the ransom terms. The hackers revealed the data breach via the SEC complaints form yesterday and gave MeridianLink an extra 24 hours to cough up, after which time they have threatened to leak the data.
🔎 Want to browse the web privately? 🌎 Or appear as if you're in another country?
Get a huge 86% off Surfshark with this Tech.co Black Friday offer.
Meridian Ransomware Attack Timeline
According to DataBreaches.net, the ALPHV ransomware operation claimed responsibility for the breach back on November 7.
At the time, the cybercrime gang threatened to leak the supposedly stolen data unless a ransom was paid in 24 hours. Despite the hack taking place over a week ago, no data appears to have been leaked yet.
The threat actor said that they have not yet heard from MeridianLink regarding a payment in exchange for not releasing the alleged stolen data. The supposed lack of response from MedianLink is likely what led to the Black Cat hackers submitting the a complaint to the SEC disclosing details of the breach that impacted “customer data and operational information.”
Criminals Weaponizing the Law
The SEC disclosure highlights that MeridianLink failed to meet the four-day deadline as required in Form 8-K, under Item 1.05. However, according to Reuters, this law doesn’t come into effect until December 15 2023, so the company may have a get out of jail free card.
A screenshot of the complaint was recently published on the ALPHV website in a bid to show legitimacy, as well as the automated response from the SEC. The caption of the screenshot read: “MeridianLink fails to file with the SEC…so we do it for them + 24 hours to pay”.
It’s thought that this SEC complaint is the first confirmed case of a threat actor using the law as a means to further extort or apply additional pressure to ransomware victims. Generally, ransomware hackers prefer trying to intimidate their victims by threatening to expose the hack to customers, rather than government gatekeepers.
MeridianLink Downplays Data Breach Claims
MeridianLink has addressed the breach to BleepingComputer.com, saying that it is still investigating whether personal data related to its customers was stolen.
MeridianLink said: “Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption.”
It added that it will notify anyone affected as and when more definitive information becomes available.