The Incident: ALPHV/BlackCat’s Claim Against MeridianLink
In a bold and unprecedented move, the cybercriminals behind the notorious ALPHV/BlackCat ransomware have claimed to report one of their victims, MeridianLink, to the U.S. Securities and Exchange Commission (SEC) for failing to disclose a significant data breach.
This development underscores the increasingly complex landscape of cybersecurity and corporate responsibility.
The Alleged SEC Report
According to the ransomware group, they have infiltrated MeridianLink, a provider of software solutions to credit lenders. The attack reportedly resulted in the theft of personal data.
The criminals argue that MeridianLink should have reported the breach to the SEC within four days, as mandated for publicly traded companies facing substantial cybersecurity incidents.
A screenshot shared by the group allegedly shows a complaint being filed on the SEC’s website, raising questions about the obligations and responses of companies under cyberattack.
MeridianLink has acknowledged a recent cybersecurity incident on their website, describing it as causing ‘minimal’ disruption. The company promises to report to the relevant authorities if it’s determined that consumer personal information was involved in the incident, as per legal requirements.