Alert – MoveIt Transfer Cybersecurity Incident

Attention HIROC Subscribers: 

Please share this alert with your Privacy and Information Technology team to ensure that this particular third-party cybersecurity risk is reviewed and addressed in a timely manner.

As your proactive partner in safety, HIROC is sharing the following important update:

We have been advised of a recent cybersecurity incident in relation to MoveIt Transfer software made by Burlington, Massachusetts-based company Ipswitch. It has been widely reported in the media that a vulnerability in the MoveIt Transfer may have been exploited by threat actors resulting in data thefts and potential breaches of personal health or personal information.

Note: MoveIt Transfer is a secure file transfer solfware solution widely used by many Canadian healthcare organizations. This vulnerability was reported by its parent company, Progress Software Corporation, on May 31, 2023 (CVE-2023-34362).

HIROC recommends Subscribers take the following immediate actions:

1. Forward this alert to your Chief Privacy Officer, Chief Information Officer and Information Technology team immediately to investigate and understand if your organization has been impacted by this incident.
   
   AND
   
   If your organization uses MoveIt Transfer, please reach out to HIROC as soon as possible in order for HIROC to guide a coordinated approach to handling this risk. If you have already reported this incident, please continue to keep us informed as you learn more about this incident.
2. If you haven’t already done so, take a quick inventory of your information technology solutions that are managed by third-parties and take necessary proactive measures to manage third-party risks. These measures include, but are not limited to:
   • Following a thorough screening process involving security, privacy and service delivery risk assessments prior to onboarding a vendor.
   • Obtaining proof of annual or ongoing third-party attestation of industry-recognized information security principles and certifications (e.g., SOC 2, ISO, NIST, etc.). 
   • Verifying statement of work (SOW) on a quarterly basis, reviewing open/outstanding tickets and sharing privacy/security reminders with each third-party provider. 
   • Understanding how your data is transported, stored, used and protected (i.e. test environments should have the same level of security and privacy controls as the production environment, and the use of production data for testing should be limited.)
3. Ensure those responsible for information security at your organization subscribe to security advisory services such as the ones noted below: 
   • Canadian Centre for Cyber Security, Government of Canada 
   • Cyber Security Education & Centre of Excellence Unit, Ontario Government

We Are Here For You!

In the event of a cyber loss, please contact Marnie MacPhee, Director of Claims at [email protected] (416-730-3056), or HIROC’s Claims Department at [email protected].

If you have any questions about this Alert, please reach out to Kopiha Nathan [email protected], or email us at [email protected].

Reference

• Progress Software Corporation, MOVEit Transfer Critical Vulnerability, May 2023: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
• The Canadian Press, N.S. investigating theft of personal info through MoveIt file transfer service, May 2023: https://www.theglobeandmail.com/canada/article-ns-investigating-theft-of-personal-info-through-moveit-file-transfer/
• Canadian Centre for Cyber Security, MOVEit Transfer security advisory (AV23-303), June 2023: https://www.cyber.gc.ca/en/alerts-advisories/moveit-transfer-security-advisory-av23-303