The MOVEit aftermath: lessons learned for file transfer security
It's been over a year since the MOVEit Transfer mass exploitation (CVE-2023-34362). The fallout affected 2,500+ organizations and 90M+ individuals.
Key lessons I'm taking forward:
- Managed file transfer ≠ secure file transfer without patch management
- Supply chain risk means your vendor's vulnerability is YOUR vulnerability
- Zero-day response time matters more than prevention alone
- Data minimization — if you don't store it, it can't be stolen
What did MOVEit change in your org?
We dropped MOVEit entirely and moved to a self-hosted solution with automatic updates. The managed vendor model failed us because we were at their mercy for patching.
MOVEit made us build a formal third-party risk assessment process. Every vendor with access to PII now gets an annual security questionnaire and we verify their patching cadence.
The biggest lesson: segment your file transfer systems. MOVEit servers shouldn't have been sitting in flat networks with direct internet exposure and access to sensitive file stores.
We used the MOVEit incident as a board-level case study to justify funding for our vulnerability management program. Nothing motivates budget like a peer getting breached.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access