Hacker group blurs lines, reports MeridianLink breach to SEC

Hacker group blurs lines, reports MeridianLink breach to SEC
Kerem Gülen

Kerem Gülen

  • Updated:

The notorious ALPHV/BlackCat ransomware syndicate has taken an unprecedented step by lodging a formal complaint with the U.S. Securities and Exchange Commission, targeting MeridianLink. This notable software provider, integral to financial institutions like banks and credit unions, now faces allegations of not reporting a cyberattack within the required four-day window.

The plot thickens as MeridianLink’s dilemma is publicly exposed on the ransomware group‘s data leak website. ALPHV has set a tight deadline, demanding a ransom from MeridianLink within just 24 hours to avert the release of what they claim to be stolen data. This turn of events in the MeridianLink breach narrative represents a significant ramp-up in ransomware tactics, underscoring an increasing trend of cybercriminals boldly challenging large, publicly traded enterprises.

Avast Download Now

New details emerged about the MeridianLink breach

Peering further into the complexities of the MeridianLink breach, new details emerge, painting a picture of an unconventional cyberattack. According to, ALPHV, also operating under the alias BlackCat, asserts they penetrated MeridianLink’s network back on November 7. Veering off the usual ransomware path, they claim to have extracted sensitive data instead of the standard practice of encrypting company systems.

Adding an unexpected twist, ALPHV revealed that though there seemed to be initial outreach from MeridianLink, this did not evolve into meaningful negotiations over the alleged stolen data. This lack of communication might have triggered the hackers to shift gears, adopting a more confrontational approach. Their next move was to file a complaint with the U.S. Securities and Exchange Commission (SEC), accusing MeridianLink of not disclosing a cybersecurity incident that affected crucial customer and operational data.

To bolster their allegations, ALPHV posted a screenshot on their site, showing a completed form on the SEC’s Tips, Complaints, and Referrals portal. They communicated to the SEC, describing the situation as a “significant breach” and alleging that MeridianLink failed to meet the disclosure obligations as required in Form 8-K, under Item 1.05.

This scenario fits into a larger pattern of rising cybersecurity threats, like the MeridianLink breach, across the U.S. Reacting to this uptick in incidents, the SEC has rolled out new rules, compelling publicly traded companies to swiftly report cyberattacks that have a material impact. The MeridianLink case not only showcases the evolving strategies of ransomware groups but also emphasizes the growing need for prompt and clear disclosure in such incidents.

Yet, the MeridianLink breach scenario is further complicated by a crucial timing element. In a report from early October, Reuters pointed out that the new SEC cybersecurity rules are scheduled to come into effect on December 15, 2023. This timing adds an intriguing twist to the already complex MeridianLink case.

Adding to the unfolding drama, ALPHV has taken the step of displaying the SEC’s confirmation of their complaint against MeridianLink on their website. This action is a deliberate move by the ransomware group to validate their SEC submission and to show that their tactics have real-world impacts, extending into the realm of regulatory compliance. This development in the MeridianLink breach not only intensifies the situation but also highlights the bold strategies cybercriminals are employing.

Moving forward in the MeridianLink breach narrative, the company has now confirmed the cyberattack. Speaking with BleepingComputer, MeridianLink outlined its immediate measures to mitigate the threat, emphasizing the rapid deployment of containment strategies and the engagement of external cybersecurity experts for an in-depth investigation.

MeridianLink is actively evaluating the extent to which consumer personal information may have been affected by this cyberattack. The company has committed to notifying any individuals whose personal data may have been compromised.

In a statement meant to provide assurance, MeridianLink stated, “Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption.” This comment seeks to reassure stakeholders about the control and minimal impact of the situation.

Avast Download Now

This development represents a pivotal moment in the evolving tactics of ransomware and extortion. While threats to report breaches to the SEC have been made by cybercriminal groups in the past, the MeridianLink incident could be the first where such a report is publicly confirmed. Traditionally, ransomware groups have exerted pressure through tactics like informing customers of the breach or directly intimidating the victim. ALPHV’s decision to file a complaint with the SEC marks a significant shift towards more formal and assertive strategies in the realm of cyber extortion.

Images used in this post are courtesy of BleepingComputer.

Kerem Gülen

Kerem Gülen

Kerem from Turkey has an insatiable curiosity for the latest advancements in tech gadgets and a knack for innovative thinking. With 3 years of experience in editorship and a childhood dream of becoming a journalist, Kerem has always been curious about the latest tech gadgets and is constantly seeking new ways to create. As a Master's student in Strategic Communications, Kerem is eager to learn more about the ever-evolving world of technology. His primary focuses are artificial intelligence and digital inclusion, and he delves into the most current and accurate information on these topics. You can always reach Kerem from LinkedIn.

Latest from Kerem Gülen