Ransomware attacks on major corporates

On 28 May  2023 major corporations started to announce attacks by CLOP ransomware group on their systems. CLOP is widely thought to operate from the Russian Federation. Victims are said to include Procter and Gamble, Virgin, Saks and others.

Attacks from Non/Quasi State actors can be expected to rise with international tensions.

Today (07.06.2023), CLOP used its dark web website to announce that personal information, including customer bank account details, would be released on the web:

“We deliberately did not disclose your organization wanted to negotiate with you and your leadership first,” reads a Clop ransom note sent during the GoAnywhere extortion attacks.

“If you ignore us, we will sell your information on the black market and publish it on our blog, which receives 30-50 thousand unique visitors per day. You can read about us on Google by searching for CLOP hacker group”.

Microsoft attributed the ransomware attack to vulnerabilities in the Zero-day MOVEit Transfer platform.

The attacks started on or around 27 May – the Memorial Day holiday weekend.

Having an interest in International Law, the attack raises questions of State responsibility for Non/ Quasi State actors. What duties does the Russian Federation have to prevent and prosecute such actions? What State responsibility does Russia bear if it fails to take reasonable and proportionate actions in those regards. I am going to leave that aside for another article.

What are the legal duties on firms who discover they have been hacked? Perhaps this is a far more practical question.

  1. Contact the Information Commissioners Office.
  2. Contact your internet provider and their security systems. You will need to know what was taken and to whom the information went.
  3. Act immediately. If you hesitate, the damage may be greater and the ICO will want to know why.

Your duties

  • Ensure the ‘confidentiality, integrity and availability’ of systems and services and the personal data you process within them.
  • You must be able to restore access and availability to personal data in a timely manner in the event of a physical or technical incident.
  • You must have appropriate processes in place to test the effectiveness of your measures and undertake any required improvements.
  • Your security measures must be proportionate to the sensitivity of the information held. If you hold sensitive medical data, your security measures must reflect this risk.

[Source ICO 07.06.2023]

In short,

  1. Know your security measures protecting your IT.
  2. Make sure they are adequate to the risk.
  3. Act quickly if you have a suspicion.

If you have any queries or would like further information, please do not hesitate to contact us on enquiries@dmhstallard.com

About the authors

about the author img

Jonathan Compton


Specialist in commercial disputes, banking and finance, regulatory and anti-trust/competition law.

Stay connected, sign up for updates

Stay connected

Recent articles


Construction disputes: the power of adjudication

Robert Ganpatsingh explains how adjudication can be an effective way of resolving construction disputes quickly.



Directors’ liability in intellectual property disputes

Directors of companies can be held personally liable for the infringing activities of the companies they operate



Ganz v Petronz FZE & Goren – key decisions of the arbitration claim

DMH Stallard LLP act for the claimant in the recent arbitration case of Mordchai Ganz v (1) Petronz FZE (2) Abraham Goren [2024] EWHC 635


Media spotlight

DMH Stallard noted as one of the best firms for championing women

legalbusiness.co.uk writes about the number of female professionals ranked in leading legal directory Legal500, with DMH Stallard holding 14 rankings across 20+ departments in the latest edition.