A hacking group breached a financial software company’s network and reported the breach to the US Securities and Exchange Commission (SEC). According to DataBreaches.net, the group known as ALPHV / BlackCat breached the servers of fintech company MeridianLink on November 7, stealing company data without encrypting it. When the company did not negotiate directly with the hackers, they filed a report with the SEC, citing a new rule that requires companies to report “material cybersecurity incidents” to the agency within four business days.
However, there is confusion about the effective date of the rule. While some claim it came into effect on December 15, others say it is December 18, 2023. The company, MeridianLink, stated that they quickly contained the threat and found no evidence of unauthorized access to their production platforms. They are still investigating whether consumer personal information was breached.
There is uncertainty about whether the SEC will take action against MeridianLink for failing to report the incident within the required four days. The rule could potentially become a tool for cyber attackers to pressure companies to comply with their demands by reporting them to the SEC.