Hackers Weaponize SEC Disclosure Rules Against Corporate Targets

The ransomware group ALPHV (aka "BlackCat") has filed a formal complaint with the US Securities and Exchange Commission (SEC), alleging that a recent victim failed to comply with new disclosure regulations.

An ALPHV insider told databreaches.net that, on Nov. 7, the group successfully attacked the digital lending service provider MeridianLink, exfiltrating without encrypting its files. Thereafter, aside from one interaction, the prolific threat actor failed to engage the company in negotiations over the stolen data.

ALPHV posted that data to its leak site on Wednesday. It also tried out an unprecedented extra extortion tactic, filing a report about its own crime to the SEC, claiming that its victim failed to follow new SEC guidelines for how soon companies have to publicly disclose their breaches.

"This is yet another warning to security leaders, who must recognize that disclosure decisions and plans are no longer solely guided by security best practices; federal legal liabilities also play an important role," says Patrick Tiquet, vice president of security and architecture at Keeper Security.

ALPHV Playing Cop and Robber at the Same Time

On July 26, the SEC announced new cyber rules for public companies. One standout was a requirement that companies disclose "any cybersecurity incident they determine to be material," along with a description of "the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant." Such a submission "will generally be due four business days after a registrant determines that a cybersecurity incident is material."

When four days passed with no word from MeridianLink, ALPHV submitted information about the breach through the SEC's official website:

"We want to bring to your attention a concerning issue regarding MeridianLink's compliance with the recently adopted cybersecurity incident disclosure rules," the group wrote. "It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules."

The source provided databreaches.net with a screenshot of the form, and the automated receipt confirming submission.

Nuance in the New SEC Rule

Putting aside the sheer audacity of the move, ALPHV may be out of luck with the SEC for two reasons.

For one thing, in a statement provided to BleepingComputer on Wednesday, MeridianLink stated that it wasn't yet sure if any consumer personal information was compromised, adding that "based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption." Exactly what data ALPHV stole and published may affect whether the breach is "material," per SEC language.

Second, as noted in its original press release, the new SEC disclosure rule only takes effect on Dec. 18. (Smaller companies will have even more leeway, with an extra 180 days before they have to get on board).

Future victims of similar attacks will have fewer breaks to count on.

"Using the threat of filing a 'failure to report' complaint against its own victim to the SEC is a compelling tactic that could weaponize a government regulation for a cybercriminal group's benefit," Tiquet warns. "Disciplinary action from the SEC is not to be taken lightly and fines can be very steep."