Ofcom says it won’t pay ransom, as new MOVEit hack victims come forward

More victims of the mass-hacks targeting users of MOVEit Transfer, a popular file-transfer application, are coming forward as the number of known impacted organizations reaches almost 400.

U.S. cosmetics giant Estée Lauder said in a statement that an unauthorized third-party “gained access” to some of the company’s systems and obtained data, but did not share any further details — or publicly link the incident to MOVEit.

The Russia-linked Clop ransomware gang, which has taken credit for the MOVEit mass-hacks, said it stole gigabytes of company data plus Estée Lauder archives. Separately, the company was also listed by another ransomware gang.

Other victims to show up on Clop’s leak site this week included the U.K. government’s communications regulator Ofcom, and the Commission for Communications Regulation, or ComReg, the general communications regulator for Ireland.

Ofcom spokesperson Harry Rippon told TechCrunch that as the regulator confirmed last month, it believes that the personal data of 412 employees was downloaded during the attack. “No payroll data was breached,” said the spokesperson. “This affected Ofcom employees who had changed their benefits or who were new joiners.” Ofcom said it “has not made any payment, as per advice from the National Cyber Security Centre.”

ComReg declined to answer TechCrunch’s questions.

While Clop listed both Ofcom and ComReg on Tuesday, both organizations have since been removed from the leak site. The reason behind the removal is not known, but Clop claims it deletes government-related data that it steals.

This could also be the reason that U.S. government agencies impacted by the mass-hacks have not yet been listed. In a statement shared with TechCrunch last month, U.S. cybersecurity agency CISA said that “several” U.S. government agencies experienced intrusions related to the MOVEit breach. The U.S. Department of Energy confirmed that two of its entities were among those breached.

While Clop appears to have backtracked on its threats to leak Ofcom and ComReg data, the gang is threatening to publish data stolen from consultancy giant Ernst & Young and stockbroker TD Ameritrade. The hacking group also published a huge cache of data allegedly stolen from British multinational professional services brand PwC’s clients. PwC was first listed by Clop last month but at the time declined to answer TechCrunch’s questions.

In a statement provided to TechCrunch this week, PwC spokesperson Mike Davis confirmed that the company is “working with impacted clients” and no longer uses the MOVEit file-transfer platform. PwC declined to say how many clients had been impacted or what types of data had been stolen.

Clop also listed several other companies on its dark leak site, including a U.S. airline, a Canadian tech company and a U.K. payments cybersecurity firm. None of these companies responded to TechCrunch’s questions.

It’s unlikely that the number of organizations — or individuals — impacted by the MOVEit mass-hacks will be known for some time.

According to the latest data from Brett Callow, threat analyst at Emsisoft, there are so far 381 known victims of the MOVEit attacks, impacting the personal data of almost 20 million individuals. However, he told TechCrunch that “based on the average number of individuals per breach and the number of orgs we know have been impacted but not yet confirmed, the potential total of individuals could be 85,955,498.”

“But, of course, there’s lots of orgs we don’t yet know about,” Callow added.

Why ransomware victims can’t stop paying off hackers