Alphv ransomware gang claims it reported MeridianLink to SEC

The Alphv ransomware gang said it compromised digital lending technology vendor MeridianLink before reporting the company to the U.S. Securities and Exchange Commission for failing to disclose the breach in a timely manner.

The gang claimed it attacked MeridianLink in an entry to its data leak site Wednesday. Alphv, also known as BlackCat, posted a screenshot of a report it allegedly submitted to the SEC. In the report, it claimed MeridianLink, a publicly traded company, failed to comply with the SEC's cybersecurity incident disclosure rules announced in July.

"It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules," the screenshot read.

According to the SEC's guidelines, the rules took effect in September. However, the 8-K disclosure requirement will not take effect until Dec. 18 for larger companies, while smaller organizations have until June 2024.

In a statement shared with TechTarget Editorial, a MeridianLink spokesperson confirmed the company experienced a cybersecurity incident but did not comment on the ransomware gang's claim nor the alleged SEC report.

"MeridianLink recently identified a cybersecurity incident. Safeguarding our customers' and partners' information is something we take seriously," the statement read. "Upon discovery, we acted immediately to contain the threat and engaged a team of third-party experts to investigate the incident. Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption. If we determine that any consumer personal information was involved in this incident, we will provide notifications, as required by law."

It continued, "We have no further details to offer currently, as our investigation is ongoing."

An SEC spokesperson declined to comment.

Guillermo Christensen, a partner leading national security practice at law firm K&L Gates, told TechTarget Editorial in an email that Alphv's latest tactics are a "natural evolution of efforts by ransomware groups to increase pressure on victims to pay and cooperate."

Moreover, he said in situations where a victim has to consider whether to report an incident or not, the company will have to accelerate its decision-making timeline "expecting that markets, investors and the SEC will become aware of the incident before the company has provided disclosure on an 8-K."

"This will further pressurize the decision-making process inside the company. Companies should be doing all that they can now to build in more runway for their decisions, [particularly when] working with incident response counsel and SEC counsel," Christensen said.

The Alphv/BlackCat ransomware gang has become a notorious cybercrime outfit in recent years. Most recently, the group took responsibility for a massive social engineering attack against gaming giant MGM Resorts in September.

Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.