PricewaterhouseCoopers (PwC) Australia has been dragged into a global data hack after the Russian ransomware gang Cl0p took advantage of vulnerabilities in a managed file transfer software program, but the advisory firm clarifies there has only been a limited impact on clients.
Hundreds of organisations are caught up in the cyber breach of MOVEIt Transfer, including the US Department of Energy, oil and gas giant Shell, Johns Hopkins University, British Airways, and the BBC, as well as various state and provincial government departments in the US and Canada.
The owner of MOVEIt, Progressive Software, issued a notice on June 15 noting a critical vulnerability it had encountered could lead to "escalated privileges and potential unauthorised access to the environment".
Progressive Software noted that earlier versions of the software could give rise to vulnerabilities in the MOVEIt web application to what is known as an SQL injection, whereby malicious code is injected into an application.
"An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content," Progressive Software wrote in the notice.
A PwC spokesperson told Business News Australia the firm uses the software with a limited number of client engagements.
"As soon as we learned of this incident we stopped using the platform and started our own investigation," the spokesperson said.
"Our investigation has shown that PwC’s own IT network has not been compromised and that MOVEit’s vulnerability had a limited impact on PwC. We have reached out to the small number of clients whose files were impacted to discuss the incident.
"Data security is a key priority for PwC and we continue to put the right resources and safeguards in place to protect our network."
Get our daily business news
Sign up to our free email news updates.