A notorious ransomware group has filed a complaint with the US Securities and Exchange Commission (SEC) over the failure of a victim to disclose an alleged data breach resulting from an attack conducted by the cybercrime gang itself.
The ransomware group known as Alphv and BlackCat claims to have breached the systems of MeridianLink, a California-based company that provides digital lending solutions for financial institutions and data verification solutions for consumers.
The cybercriminals claim to have stolen a significant amount of customer data and operational information belonging to MeridianLink, and they are threatening to leak it unless a ransom is paid.
In an apparent effort to increase its chances of getting paid, the malicious hackers claim to have filed a complaint with the SEC against MeridianLink, accusing the company of failing to disclose the breach within four business days, as required by rules announced by the agency in July.
BlackCat published screenshots on its leak website on November 15 to show that the complaint has been filed and received by the SEC.
This appears to be the first time a ransomware group has filed an SEC complaint against one of its victims.
The hackers told DataBreaches.net that the attack against MeridianLink — which allegedly did not involve file-encrypting ransomware, only data theft — was conducted on November 7 and it was discovered the same day.
However, MeridianLink told DataBreaches.net that the intrusion occurred on November 10.
“Upon discovery on the same day, we acted immediately to contain the threat and engaged a team of third-party experts to investigate the incident. Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption,” the company said, adding that it cannot share further details due to its ongoing investigation.
It’s worth pointing out that the new SEC data breach disclosure rules will only go into effect in mid-December 2023. In addition, companies will be required to notify the SEC within four business days of determining that a cybersecurity incident is material to investors, which, based on MeridianLink’s statement, has yet to happen.
Contacted by SecurityWeek, an SEC spokesperson declined to comment.
BlackCat has been one of the most active ransomware operations and it’s not uncommon for the group to try new methods for convincing targets to pay up, including by setting up dedicated leak websites for individual victims.
*updated to say that the SEC declined to comment