A ransomware crime group, AlphV, nailed a financial services company called MeridianLink. When MeridianLink failed to pay up, AlphV noticed another weakness it could exploit: MeridianLink had failed to disclose the hack to its customers as is expected of it. So AlphV reported MeridianLink to the Securities and Exchange Commission.
We want to bring to your attention a concerning issue regarding MeridianLink's compliance with the recently adopted cybersecurity incident disclosure rules," AlphV officials wrote in the complaint. "It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under item 1.05 of form 8-K within the stipulated four business days, as mandated by the new SEC rules."
The violation category selected in the online report was "Material misstatement or omission in a company's filings or financial statements or a failure to file."
Wednesday's dark web post also included what appeared to be an automatic response received from the SEC acknowledging receipt of the complaint.
Fortunately for MeridianLink, the rule it has broken is not yet in effect, but its secrecy has done it no favors here. From similar incidents, it seems criminals are well-aware that U.S. financial companies' habit of keeping regulators in the dark is an exploitable weakness.
Brett Callow, a security analyst with Emsisoft, noted that a ransomware group known as Maze has previously warned victims that it "keeps the communication with the major Securities and Financial Regulators and will acknowledge them on all data leaks and breaches if the agreement is not reached."
It reminded me of the old Ralph Nader "recall vs. settlement cost" formula popularized by Fight Club: if the expected cost of regulatory compliance is greater than the cost of paying them off, pay them off. But the difference here is that the targets are neither complying with the law nor paying the "settlement," which suggests something bleak about the lack of consequences for corporate misconduct and ineptitude.