DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

AlphV files an SEC complaint against MeridianLink for not disclosing a breach to the SEC (2)

Posted on November 15, 2023 by Dissent

Earlier today, AlphV added MeridianLink to their leak site. MeridianLink (MLNK) is the provider of a loan origination system and digital lending platform for financial institutions. AlphV’s listing has been temporarily removed to be updated, but DataBreaches has learned some additional details from someone involved in the attack.

The attack was last Tuesday, November 7. According to AlphV, they did not encrypt any files, but did exfiltrate files. MeridianLink was aware of it the day it happened. According to AlphV, no security upgrades were made following the discovery, but “once we added them to the blog, they have patched the way used to get in,”  DataBreaches was told.

DataBreaches asked AlphV whether MeridianLink had contacted them at all or responded to them at all, and was told that someone from MeridianLink had reached out to AlphV at some point, but there has been no interaction between the attackers and the firm. When asked why not, the threat actor explained, “it says they are offline.”

In what may be a first, however, AlphV has seemingly reported its victim to the SEC. A copy of the submission was shared with DataBreaches:

AlphV reported MeridianLink to the SEC for alleged failure to timely file. Image: Provided. DataBreaches.net.

AlphV wrote: “We want to bring to your attention a concerning issue regarding MeridianLink’s compliance with the recently adopted cybersecurity incident disclosure rules.

It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules.

The automated receipt for the complaint submission. Image: Provided. DataBreaches.net

MeridianLink’s data security information can be found on its website. DataBreaches sent an inquiry to MeridianLink asking them about the alleged incident and their incident response. They replied promptly with the following statement:

Safeguarding our customers’ and partners’ information is something we take seriously. MeridianLink recently identified a cybersecurity incident that took place on Nov 10. Upon discovery on the same day, we acted immediately to contain the threat and engaged a team of third-party experts to investigate the incident. Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption.

We have no further details to offer currently, as our investigation is ongoing.

Update 1: This post was updated post-publication to include MeridianLink’s statement.

Update 2: In response to a question DataBreaches received:  We are not lawyers, but we believe that new SEC reporting rule doesn’t go into effect until December 15. If any legal authority thinks it is already in effect, please let us know. 

 


Image by wayhomestudio on Freepik.

Category: Financial SectorHackOf NoteU.S.

Post navigation

← Data security breach at Beaverton School District
Georgia School District Goes Offline After Suspicious Activity →

5 thoughts on “AlphV files an SEC complaint against MeridianLink for not disclosing a breach to the SEC (2)”

  1. john says:
    November 16, 2023 at 4:44 pm

    It is not effective until December 18 2023 for MeridianLink. Even then – the rule is not 4 days from the incident, but 4 days to disclose from the point the company determines they need to disclose it. Companies can’t ‘unreasonably delay’ the determination of if they need to disclose it.

  2. jeyarupan linganayagam says:
    November 18, 2023 at 1:30 pm

    My photos and videos .yzaq ransomware encrypted files so pls help me
    How to decrypt all file?
    Virus attack date 4.11.2023

    1. Dissent says:
      November 18, 2023 at 4:01 pm

      This is not my forte, so I asked Brett Callow of Emsisoft, and he suggested you take a look at this thread on BleepingComputer:
      https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-djvu-puma-promo-support-topic/

      (and yes, links are not allowed in comments, but I am the owner so I can give myself permission)

    2. anon says:
      November 20, 2023 at 12:28 pm

      Check out this website:

      https://www.nomoreransom.org/crypto-sheriff.php

      1. Dissent says:
        November 20, 2023 at 6:52 pm

        That is also a good site, but in this case, you know from the extension that it’s the newer version of the malware and there’s no decryptor yet.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Dutch Government: More forms of espionage to be a criminal offence from 15 May onwards
  • B.C. health authority faces class-action lawsuit over 2009 data breach (1)
  • Private Industry Notification: Silent Ransom Group Targeting Law Firms
  • Data Breach Lawsuits Against Chord Specialty Dental Partners Consolidated
  • PA: York County alerts residents of potential data breach
  • FTC Finalizes Order with GoDaddy over Data Security Failures
  • Hacker steals $223 million in Cetus Protocol cryptocurrency heist
  • Operation ENDGAME strikes again: the ransomware kill chain broken at its source
  • Mysterious Database of 184 Million Records Exposes Vast Array of Login Credentials
  • Mysterious hacking group Careto was run by the Spanish government, sources say

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Period Tracking App Users Win Class Status in Google, Meta Suit
  • AI: the Italian Supervisory Authority fines Luka, the U.S. company behind chatbot “Replika,” 5 Million €
  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says
  • Widow of slain Saudi journalist can’t pursue surveillance claims against Israeli spyware firm
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • GDPR is cracking: Brussels rewrites its prized privacy law

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.