cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

ALPHV files SEC complaint against own victim

The infamous ALPHV ransomware group has filed a complaint about one of its victims to the US Securities and Exchange Commission (SEC) after it failed to disclose that it had been attacked.

user icon Daniel Croft
Fri, 17 Nov 2023
ALPHV files SEC complaint against own victim
expand image

The threat group, which also goes by the name BlackCat, listed MeridianLink, a financial software company, on its site, saying it filed the SEC complaint.

“The recent adoption of SEC rules mandates public companies to promptly disclose material cyber security incidents under Item 1.05 of Form 8-K within four business days of determining such incidents to be material,” said ALPHV.

“Despite this requirement, MeridianLink has not fulfilled this obligation regarding the breach it experienced a week ago.


“We have therefore reported this non-compliance by MeridianLink, who was involved in a material breach impacting customer data and operational information, for failure to file the required disclosure with the Securities and Exchange Commission (SEC).”

Accompanying the listing was a screenshot of the SEC complaint application process that had been filled out by the threat group, as well as automated confirmation.

ALPHV also said it would leak the data it had stolen from MeridianLink unless it paid the ransom within 24 hours.

The move by ALPHV is far from typical but an effective way to pressure a victim into making a move, whether that be paying a ransom or facing legal punishment.

Unfortunately for ALPHV, MeridianLink may be safe from regulatory or legal consequences. While the threat group is correct in saying that the SEC will require organisations to disclose a cyber breach within four days of discovery, these are new reporting rules that will not become active until next month.

Furthermore, government officials confirmed last week at the Aspen Cyber Forum that breaches only need to be reported four days after they have been classed as having a significant impact, not four days exactly after discovery.

Following the incident, MeridianLink has confirmed that it has suffered a cyber security incident, but it has said that there is nothing to suggest an actual cyber attack.

“Upon discovery, we acted immediately to contain the threat and engaged a team of third-party experts to investigate the incident,” a spokesperson from MeridianLink said.

“Based on our investigation to date, we have identified no evidence of unauthorised access to our production platforms, and the incident has caused minimal business interruption.

“If we determine that any consumer personal information was involved in this incident, we will provide notifications, as required by law.”

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.