A cybercriminal group that stole corporate data accuses the victim company of ``failing to disclose data theft'' to the Securities and Exchange Commission.

A ransomware group known as 'Alphv' or 'BlackCat' stole customer data and operational information from MeridianLink, a financial and consumer data company, and demanded a ransom. Furthermore, MeridianLink filed a complaint with the US Securities and Exchange Commission (SEC) for not disclosing the fact that its data was hijacked by ransomware.

Ransomware Group Files SEC Complaint Over Victim's Failure to Disclose Data Breach - SecurityWeek

https://www.securityweek.com/ransomware-group-files-sec-complaint-over-victims-failure-to-disclose-data-breach/

AlphV files an SEC complaint against MeridianLink for not disclosing a breach to the SEC (2)
https://www.databreaches.net/alphv-files-an-sec-complaint-against-meridianlink-for-not-disclosing-a-breach-to-the-sec/

According to AlphV, AlphV succeeded in stealing MeridianLink data on November 7, 2023. AlphVa did not use ransomware to encrypt data, but instead stole MeridianLink customer data and operational information from its servers and threatened to release all the data it obtained unless a ransom was paid.

AlphV claims that it did steal MeridianLink's data and reports that while no security upgrades were made after the intrusion was detected, a patch was applied to address the method used to breach the network. Masu. However, MeridianLink did not publicly announce that it had been compromised.

When security-related news site DataBreaches asked AlphV if it had been contacted by MeridianLink, AlphV said that although MeridianLink officials had contacted them at some point, there had been no communication with the company. I was told that there wasn't.

Accordingly, AlphV would like to draw attention to a concerning issue regarding MeridianLink's compliance with the SEC. We found that the company had failed in its obligation to provide the required disclosures.''

Below is the complaint actually submitted by AlphV.

In response, MeridianLink wrote on security news site DataBreaches.net, 'A network intrusion by AlphV occurred on November 10th, and we took immediate action and dispatched a team of third-party experts to contain the threat.' 'We investigated the incident,' and said there was no unauthorized access to its platform.

MeridianLink also told DataBreaches, ``While we are not lawyers, we believe that the new rules imposing mandatory reporting to the SEC will not go into effect until December 15, 2023. If you think so, please let us know,'' and claims there was no obligation to publicize the incident and report it to the SEC.