MOVEit 2023: When Invisible Infrastructure Became the Largest Data Theft in History

What Failed

MOVEit Transfer is one of several managed file transfer platforms that sit quietly in the background of enterprise operations. It moves payroll files to processors, benefits data to insurers, compliance reports to regulators, and sensitive records between business partners. Most employees in an affected organisation would never have heard of it. Most boards had never discussed it. It was infrastructure in the truest sense — invisible, trusted, and deeply embedded.

On May 27, 2023, Cl0p began exploiting CVE-2023-34362, a critical SQL injection vulnerability in MOVEit Transfer's web application layer. The flaw, rated 9.8 out of 10 on the CVSS severity scale, allowed unauthenticated attackers to access the underlying database of any internet-facing MOVEit instance. Cl0p deployed a custom web shell called LEMURLOOT to the compromised servers, which was then used to enumerate database contents and exfiltrate files at scale.

Progress Software identified the vulnerability and released a patch on May 31. But Cl0p had been probing MOVEit environments for months. Mandiant reported exploitation activity as early as May 27, and Kroll found evidence of testing as far back as 2021. By the time the patch was available, the data was already gone.

On June 6, Cl0p publicly claimed responsibility on their leak site and began issuing extortion demands. Organisations that did not pay saw their stolen data published. There was no encryption, no operational disruption to systems, no ransom note on a locked screen. The entire attack was designed around one objective: exfiltrate data quietly and monetise it through extortion.

The Decision Timeline That Leadership Actually Faced

The MOVEit incident presented a fundamentally different decision challenge from a conventional ransomware attack. There was no operational disruption to trigger incident response. No systems went down. No employees lost access. The first sign of compromise, for most organisations, was either a notification from Progress Software, a security advisory from CISA, or — worst case — a direct extortion demand from Cl0p.

Why the Blast Radius Was So Large

The MOVEit breach did not spread because of lateral movement between networks. It spread because of the nature of what managed file transfer platforms do. They sit at the intersection of data flows between organisations. When one MOVEit instance is compromised, the attacker gains access not just to that organisation's data, but to every file that has passed through it from every connected partner.

This is what made the incident so devastating, and so instructive. Many of the 2,700+ confirmed victim organisations did not run MOVEit themselves. They were compromised because a vendor, payroll processor, benefits administrator, or business partner ran MOVEit and their data was in transit through it.

The Zellis chain illustrates the pattern. Zellis, a UK payroll provider, used MOVEit Transfer to process employee data on behalf of its clients. When Zellis's MOVEit instance was compromised, the data of employees at the BBC, British Airways, and Boots was exposed — names, national insurance numbers, bank details. None of these organisations ran MOVEit. None of them had a direct relationship with Progress Software. Their exposure came entirely through a third-party data flow they may not have been actively monitoring.

The US government contractor chain was even wider. Maximus, a government services contractor, had 11 million individuals' data exposed. The French employment agency Pôle Emploi lost records on 10 million individuals. Shell, multiple US financial institutions, state government agencies, and healthcare organisations all appeared on the victim list — connected not by industry or geography, but by the invisible data plumbing that MOVEit provided.

This was not a cascade. It was simultaneous exposure. Cl0p did not move from one victim to the next. They compromised internet-facing MOVEit instances in parallel, exfiltrating data from each one independently. The result was thousands of breaches disclosed over weeks, each one revealing a new set of downstream organisations that had no idea their data was transiting a platform with a critical zero-day.

What the Incident Exposed

Managed file transfer is invisible critical infrastructure. Most organisations treat MFT platforms as IT plumbing — configured once, maintained by a small team, rarely reviewed at a strategic level. MOVEit demonstrated that these platforms carry some of the most sensitive data in the enterprise: payroll, benefits, health records, financial transactions, and regulatory filings. When MFT fails, the data exposure is not hypothetical. It is comprehensive and immediate.

Third-party data flows are not mapped to risk. Organisations knew they had vendor relationships. They had contracts, SLAs, and in some cases security assessments. What they did not have was a clear picture of which specific data sets were transiting which specific platforms at which specific vendors. The question "does any of our data pass through MOVEit?" was unanswerable for many organisations when the advisory landed.

Data-theft-only attacks break the incident response model. Traditional ransomware creates an obvious trigger: systems go down, operations stop, and someone must act immediately. The MOVEit breach had no operational trigger. Data was exfiltrated while systems continued to function normally. This meant that many organisations discovered the breach days or weeks after the data was already gone. Incident response plans built around operational disruption were structurally mismatched to an attack designed around silent exfiltration.

Cl0p industrialised the supply chain attack. This was not an opportunistic exploit. Cl0p had previously used the same playbook against Accellion's File Transfer Appliance in 2020–2021 and Fortra's GoAnywhere MFT in early 2023. Each attack targeted a different managed file transfer vendor. Each used a zero-day. Each focused on data theft over encryption. The MOVEit campaign was the third iteration of a proven operational model. The pattern was visible in retrospect. Few organisations had incorporated it into their threat modelling.

The SEC responded as a regulatory event, not just a security one. The US Securities and Exchange Commission opened a formal investigation into Progress Software in October 2023. This elevated the MOVEit breach from a cybersecurity incident to a corporate governance and disclosure matter, with implications for every publicly traded company whose data was involved.

The Resilience Lens

The MOVEit breach challenges a core assumption in most resilience programmes: that critical incidents will be visible. Ransomware is loud. Operational outages are obvious. A DDoS attack is measurable in real time. The MOVEit breach was none of these things. It was silent, complete before detection, and its full scope only became clear over months as victim after victim disclosed.

For boards and resilience leaders, the strategic question is uncomfortable: if an attacker compromised one of the file transfer platforms your organisation depends on today, would you know what data was exposed? Could you answer that question within the regulatory notification window? Could you tell your customers, with confidence, what was taken and what was not?

For most organisations, the honest answer is no. Not because of negligence, but because the data flows through these platforms are managed operationally, not strategically. They are configured by IT teams to solve specific integration problems. They are rarely inventoried comprehensively. And they are almost never stress-tested against the scenario the MOVEit breach actually delivered: total compromise of the platform, with no operational disruption to signal that anything has happened.

This is the class of incident that most organisations have never rehearsed. Not because it is exotic, but because it is invisible. The infrastructure is too mundane to appear on a board risk register. The data flows are too granular to feature in an executive briefing. And the attack model — silent exfiltration without encryption — does not fit the scenarios that most tabletop exercises are built around.

What Boards Should Be Asking

The typical post-MOVEit response was to patch the vulnerability, review vendor contracts, and add managed file transfer to the risk register. Those are necessary steps. They are also backward-looking. The questions that matter now are the ones that test whether the organisation can respond to the next silent supply chain compromise — which will not involve MOVEit, and will not look identical to this one.

• Can we produce, within 48 hours, a complete inventory of what sensitive data passes through each of our managed file transfer, integration, and middleware platforms — and which third parties have access?
• If a vendor notified us today that their platform had been compromised three weeks ago, do we have the forensic capability to determine what data was accessed, or are we dependent on the vendor to tell us?
• Have our leadership teams ever rehearsed a data breach with no operational disruption — where systems are running normally but the data is already gone?
• Do our regulatory notification processes assume we will know the scope of exposure quickly, and what happens when we do not?
• Are our third-party risk assessments focused on whether vendors have security certifications, or on whether we understand the specific data flows and platform dependencies those vendors introduce?

If the answer to most of these is "we would need to check," then the MOVEit incident is a direct preview of how the next silent breach will unfold inside your organisation. The gap is not in technology. It is in the readiness to respond when the breach has already happened and nobody noticed.

Conclusion

The MOVEit breach of 2023 was not a sophisticated intrusion in the traditional sense. It was a single SQL injection flaw in a file transfer platform. What made it historic was not the vulnerability itself, but the position that platform occupied in thousands of organisations' data supply chains. MOVEit was invisible infrastructure — trusted precisely because nobody thought about it.

Cl0p understood this better than the organisations they targeted. They had rehearsed the playbook twice before, against Accellion and GoAnywhere, refining their approach each time. By MOVEit, they had industrialised the supply chain data theft model to a degree that compromised more organisations in a single campaign than most ransomware groups manage in a year.

The lesson for boards and resilience leaders is not about MOVEit specifically. It is about every piece of infrastructure that moves sensitive data between systems and organisations without appearing on a risk register or featuring in a crisis exercise. The next campaign will target a different platform. But the pattern — silent compromise, massive blast radius, and an organisation that cannot answer basic questions about what was taken — will be identical.

Readiness for that scenario cannot be assumed. It has to be tested.