BlackCat Gang Tattles to SEC About Victim Not Disclosing BreachRansomware Group Says MeridianLink Didn't Tell SEC About Cyberattack Within 4 Days
The notorious BlackCat ransomware group tattled to U.S. federal regulators about an alleged victim not disclosing a material cyberattack within four business days.
The ransomware gang - also known as Alphv - listed financial services software developer MeridianLink on its data leak site Wednesday and threatened to leak stolen data unless it receives a ransom within 24 hours. BlackCat said it had compromised MeridianLink's systems on Nov. 7 and exfiltrated files without actually encrypting them.
"MeridianLink has not fulfilled this obligation regarding the breach it experienced a week ago," BlackCat wrote on its leak site Wednesday. "We have therefore reported this non-compliance by MeridianLink, who was involved in a material breach impacting customer data and operational information, for failure to file the required disclosure with the Securities and Exchange Commission."
The SEC adopted a rule in July that requires publicly traded companies such as MeridianLink to disclose most "material cybersecurity incidents" within four business days of determining materiality. The disclosure rule will start being enforced in mid-December for larger businesses and in mid-June for smaller publicly traded companies (see: SEC Votes to Require Material Incident Disclosure in 4 Days).
The company's stock is down $0.03 - or 0.16% - to $18.52 per share. In an emailed statement, a company spokesman said a forensics investigation so far has shown "no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption."
The SEC did not immediately respond to a request for comment. BlackCat's actions were first reported by DataBreaches.net.
The ransomware group published a screenshot of the form it had filled out on the SEC's tips, complaints and referrals page. It told the SEC that MeridianLink had suffered a "significant breach" and did not disclose it as required, and it posted proof to its data leak site showing that its submission had been received by federal regulators.
This is believed to be the first time a ransomware operator has attempted to get its victim in trouble with the SEC, although other groups have threatened to report breaches to regulators (see: Tattletale Ransomware Gangs Threaten to Reveal GDPR Breaches).