Delta and Amazon confirmed this week that employee data was stolen from a vendor through a vulnerability in the MOVEit file transfer tool.

A Delta spokesperson told Recorded Future News that an investigation confirmed the data is internal directory information originating from a third party partner but not from the company’s own systems.

“The dataset includes things like names, contact information and office location but no sensitive personal information,” the spokesperson said. “Delta teams work continuously to safeguard Delta’s data as the security and integrity of that information is of the utmost importance.”

The statement comes in response to a dark web post by a hacker using the moniker “Nam3L3ss” who said they planned to release troves of data stolen through the MOVEit vulnerability, which resulted in a raft of breaches last summer. 

Delta, alongside Amazon and 23 other major companies and governments, were named in the post. 

An Amazon spokesperson said the unnamed vendor receives employee contact information but does not collect more sensitive data like Social Security numbers, ID card details. 

The company said the vendor has since fixed the vulnerability. Amazon first confirmed the breach to the outlet 404 Media.

“Amazon and AWS systems remain secure, and we have not experienced a security event. We were notified about a security event at one of our property management vendors that impacted several of its customers including Amazon,” the spokesperson said. 

“The only Amazon information involved was employee work contact information, for example work email addresses, desk phone numbers, and building locations.”

Cybersecurity firm Emsisoft estimates that 2,773 organizations were impacted by the attacks on MOVEit, and the records of nearly 96 million people were exposed and stolen by the group behind the exploitation. 

The incident caused international outrage as dozens of government agencies, Fortune 500 companies and more confirmed that troves of data had been stolen by hackers connected to the Clop ransomware gang. Progress Software, the company behind MOVEit, has faced more than 100 lawsuits due to the breaches. 

Last week, Nam3L3ss reignited concern about the breaches when they posted tranches of data apparently stolen through the vulnerability. Some of the companies listed were previously announced as MOVEit victims, but others were not. All of the data is from May 2023, when the initial string of MOVEit breaches began.  

Security experts at Hudson Rock have confirmed that the data is legitimate. Hudson Rock CTO Alon Gal told Recorded Future News that he is not sure whether Nam3L3ss is connected to the Clop ransomware gang and if this is an attempt by Clop to publicize the remaining data stolen during the string of breaches last year. 

Clop is estimated to have earned anywhere from $75 million to $100 million just from ransoms during the MOVEit campaign.

According to Hudson Rock, the information leaked last week includes employee directories from 25 “major organizations.” 

“The directories contain detailed employee information, including names, email addresses, phone numbers, cost center codes, and, in some cases, entire organizational structures,” Hudson Rock said in a blog post on Monday. “Such data could serve as a goldmine for cybercriminals seeking to engage in phishing, identity theft, or even social engineering attacks on a large scale.”

Researchers at Recorded Future were also able to verify that some of the data in the post was legitimate.

Recorded Future News (an editorially independent unit of Recorded Future) reached out to all companies listed by Nam3L3ss but only Amazon and Delta have responded. 

Nam3L3ss has since made several dark web posts claiming they are not a hacker and simply download data posted to ransomware sites or data held on unsecured storage platforms. The person claimed they are not selling the data and are releasing it in anger towards prominent companies that do not protect user information. 

In another post, Nam3L3ss attributed their actions to a recent controversy in Columbus, Ohio in which a cybersecurity researcher was sued for accessing city data stolen by a ransomware gang. The lawsuit was dropped two weeks ago. 

"The last straw came for me when Andy Ginther, mayor of Columbus, Ohio decided to sue Connor Goodwolf for talking about how the Mayor was down playing the scope of their ransomware attack. Other police departments can thank this mayor for me releasing their data too,” Nam3L3ss wrote. “Even data that was released 10 years is in my possession and will see the light of day again!"

In comments to Hudson Rock, the hacker claimed to have “1,000 releases coming” in the future.