Skip to content
HomeBlogThreat Watch

The MOVEit Breach: Supply-Chain Lessons for Every Business

Chain of glowing blue links crossing a dark circuit board, one fractured link glowing red

The MOVEit breach is the clearest lesson yet that your data is only as safe as the software your vendors run. Since late May, the Cl0p extortion group has been exploiting a zero-day flaw in MOVEit Transfer, a file-transfer product used by thousands of organizations — and most victims never installed it themselves. Here’s what happened, and what every business should take away from it.

What happened with MOVEit

On May 31, Progress Software disclosed a critical SQL injection vulnerability in MOVEit Transfer, a managed file-transfer tool companies use to exchange sensitive files with partners, payroll processors and customers. By the time the patch shipped, the Cl0p group had already been quietly pulling data from exposed servers.

Notably, the attackers didn’t encrypt anything. They stole data and moved straight to extortion, and since mid-June they have been adding victim names to a leak site. The confirmed list already includes a major UK payroll provider — exposing employees of British Airways, the BBC and Boots — the government of Nova Scotia, several US federal agencies and multiple state motor-vehicle departments. It grows by the week.

It didn’t end with one patch, either. Researchers found two more flaws in the same product this month, forcing further emergency updates. And the same group ran a nearly identical campaign against the GoAnywhere file-transfer tool earlier this year. This is a repeatable playbook, not a one-off.

Why this is a supply-chain breach

Here’s the uncomfortable part: many of the people whose data was stolen had never heard of MOVEit. Their payroll provider ran it, or their benefits administrator, or a vendor of a vendor. That is what supply-chain risk means in practice — you can outsource the work, but you can’t outsource the accountability. When employee or customer data leaks, your staff, your clients and regulators all come to you.

And if you’re assuming this is a big-company problem, don’t. Small businesses use the same payroll processors, benefits platforms and accounting firms the giants do — often through a reseller, which adds another layer between you and the breach notice. Being small doesn’t shrink your exposure; it just shrinks your visibility into it.

Five supply-chain lessons to act on

1. Map where your data actually lives

List every vendor that holds or moves sensitive data for you — payroll, benefits, accounting, marketing platforms. If you can’t name them, you can’t question them.

2. Patch internet-facing systems in days, not months

File-transfer servers, VPNs and remote-access tools are the front door. Exploitation of the MOVEit flaw began before most victims knew a patch existed, so speed matters more than convenience.

3. Put your vendors on the spot

Ask your key vendors in writing: do you use MOVEit or a similar transfer tool, are you patched, and was our data affected? Going forward, make security questionnaires, SOC 2 reports and breach-notification clauses part of every contract.

4. Keep less data sitting in transfer systems

Many MOVEit victims lost years of old files that were simply never cleaned out. Data you don’t retain can’t be stolen, so set retention rules on any system that stages or moves files.

5. Watch for data leaving, not just malware arriving

Because nothing was encrypted, many victims saw no obvious symptoms at all. Unusual outbound transfers are often the only early signal — one reason we keep real engineers watching client networks around the clock instead of relying on alerts nobody reads.

What to do this week

  1. Ask your IT team or provider whether you run MOVEit Transfer or any managed file-transfer tool, and confirm it is patched and has been reviewed for compromise.
  2. Email your five most important data-handling vendors and ask whether they were exposed.
  3. Confirm someone is actually monitoring your internet-facing systems after hours.
  4. Reread your incident-response plan and make sure it covers a breach that starts at a vendor.

Key takeaways

  • Cl0p exploited a MOVEit Transfer zero-day to steal data at scale — no encryption, straight to extortion.
  • Many victims were exposed through vendors, not systems they ran themselves.
  • Patch internet-facing software fast, and shrink the data sitting in transfer tools.
  • Vendor security questions belong in contracts, not just onboarding checklists.
  • Monitoring outbound traffic catches quiet thefts that antivirus never sees.

Not sure whether your own internet-facing systems would stand up to the same playbook? Request a penetration test and we’ll show you exactly what an attacker would find.

Reading is free. So is knowing where you stand.

Turn insight into action.

Take a free cybersecurity or AI readiness assessment, or book a call with a NetSys engineer — no obligation, no runaround.