One Vendor Hack, Thousands of Businesses Burned: What MOVEit Proved (and How SMOKE Fights Back)

If you run a small business, your to-do list is simple: keep the lights on, pay staff, keep customers happy. What’s not on that list is: “double-check whether one of our vendors quietly leaked our data this week.”

It should be.

In 2023, one “secure” file-transfer product – MOVEit Transfer – was exploited via a zero-day vulnerability. Attackers used it as a side door into more than 2,700 organisations, exposing data on roughly 90+ million people across enterprises, governments, universities, and service providers. One product. One bug. Global mess.

MOVEit in plain English: one supplier, global fallout

Think of MOVEit as a digital trucking company that everyone uses to ship sensitive files: salary data, HR records, customer information, health data. When attackers discovered a hole in that software, they didn’t knock politely. They drove right through it and started raiding the cargo.

The result:

• More than 2,700 organisations compromised through MOVEit-connected breaches.
• Personal data for around 93.3 million people exposed.
• Impact across finance, healthcare, government, education, and tech.

A few names, just so it lands:

• Shell, the global energy giant.
• BBC, British Airways, and Boots via payroll provider Zellis.
• U.S. federal agencies, state governments, and Canadian government bodies.
• Healthcare platforms like Welltok and Delta Dental, leaking data for 8.5M and 6.9M individuals.

Then there’s the silicon end of the universe: TSMC (Taiwan Semiconductor Manufacturing Company), the world’s largest chip manufacturer and a core supplier to Apple and others, had data exposed when its IT services provider Kinmax Technology was compromised. The LockBit ransomware gang allegedly swung a $70 million ransom demand around that incident.

If outfits at that level are being dragged into vendor breaches, your 40–200 person shop isn’t special. You’re playing the same game they are, just without their budget or backup.

The window gangs feed on: blind, quiet, and slow

The MOVEit story is not just “software bug + hackers.” That’s the children’s version. The adult version is this: gangs made money off the gap between “there’s a vulnerability” and “everyone has actually patched.”

A few ugly facts:

• Threat actors had been probing MOVEit for years before the public zero-day disclosure.
• Progress Software released patches and guidance. Many customers patched late – or not at all.
• Victims kept surfacing for months as organisations realised they’d already been compromised.
• In 2024, a new MOVEit vulnerability (CVE-2024-5806) dropped and was exploited in the wild within days.
• By 2025, scanning for MOVEit instances spiked again as attackers hunted for stragglers.

On top of that, Amazon admitted in late 2024 that staff contact data had only just shown up in MOVEit leak streams. Over a year later, the same campaign was still “paying out.”

That’s the real playbook: criminals are not just exploiting software, they’re exploiting blindness and delay. They live in the months where nobody’s watching, nobody’s looking at vendor advisories, and everyone is assuming “surely they’ve patched by now.”

Why SMBs get crushed when vendors screw up

Enterprise and government victims mostly survive: they have security teams, forensics, PR agencies, spare cash, and regulators who expect them to stumble occasionally.

You, as a small business owner (we’ll refer to this as an SMB from here on out), do not. At best you’ve got:

• A part-time IT person or outsourced MSP.
• An accountant or office manager trying to keep systems running.
• You – wearing “CEO”, “ops”, and “security” hats depending on the day.

Meanwhile the money side of breaches is going the wrong way:

• Average global breach costs are in the $4.5–5M range per incident.
• In the U.S., that number runs closer to $10M+ per breach.

Big brands can eat that and carry on. Most SMBs cannot. For you, it doesn’t take millions: six figures in legal bills, remediation, and lost deals can be enough to knock the legs out from under the business.

Your real attack surface: the stuff you don’t own

Everyone likes to talk about firewalls, anti-virus, and “zero trust.” All fine. All necessary. And all missing the modern point: your biggest risk is probably the systems you don’t own and can’t touch.

For a typical SMB, the real attack surface is:

• Cloud payroll and HR platforms.
• Accounting and invoicing tools.
• CRMs and customer systems.
• “Secure” file-transfer and file-sharing tools.
• Industry SaaS: healthcare platforms, legal practice tools, school systems, logistics portals, etc.

These are your touch points – connectors between your business and the outside world. You don’t patch them; your vendors do. You don’t see their logs; your vendors do. But when they get hit, it’s your name on the breach email.

SMOKE’s value: kill the blindness, shrink the damage window

Let’s be clear: you cannot force Progress Software, TSMC’s vendors, or your own payroll provider to patch on time. You can’t personally babysit their infrastructure either.

What you can control is:

• How fast you know when something connected to you is on fire.
• How clearly someone explains what to do in the first 24 hours.

That’s the job of SMOKE by INVISIQ. It exists to reduce the blind window and stop gangs from feasting on your ignorance.

What SMOKE actually does (no alphabet soup)

1. You give SMOKE your touch points.
   The vendors, platforms, and internet-facing systems your business genuinely relies on.
2. SMOKE watches the world around them.
   Vulnerability feeds, CISA KEV, vendor advisories, breach disclosures, ransomware leak sites, threat blogs, and news around tools like MOVEit, GoAnywhere, Cleo, etc.
3. When there’s smoke, SMOKE tells you in plain English.
   Which vendor, what happened, why it matters to you, and what to hand directly to your IT or MSP.
4. No spying on your users.
   No endpoint agents, no browser fingerprinting, no creepy tracking scripts on your website. It’s about external risk, not turning you into the product.

A 30-day plan for SMBs to close the gap

You don’t need a 60-page policy. You need a short, uncomfortable, practical plan.

Week 1 – Make the list

• List your top 10–20 vendors and platforms (payroll, HR, accounting, CRM, file-transfer, MSP, industry SaaS).
• For each, note the data they hold and how critical they are (1–5).

Week 2 – Assign ownership

• For every critical vendor, assign a named owner in your business.
• Make it explicit: “If this vendor is breached, this person decides what we do.”

Week 3 – Write the “vendor got hit” one-pager

• How do we confirm the incident is real?
• Which logins, tokens, and connections do we lock down or rotate?
• Who tells staff and customers, and what do we roughly say?
• Who speaks to regulators or lawyers if that becomes necessary?

Week 4 – Turn on external monitoring

Now you choose:

• DIY a patchwork of feeds, alerts, and dashboards and hope someone watches them every week, or
• Plug your touch points into SMOKE by INVISIQ and let a dedicated engine track vendor breaches, high-impact vulnerabilities, and leak activity tied to the systems you actually use.

The hard truth (and why this is for your own good)

Look at the pattern:

• MOVEit 2023: more than 2,700 organisations, roughly 93M people dragged in.
• Vendors to giants like Shell, TSMC, universities, governments, and healthcare providers all burned.
• New MOVEit bugs and scanning waves still popping up in 2024–2025.
• Average breach costs in the multi-millions – enough to flatten a typical SMB if it gets hit directly.

As a small business owner (our SMB), you’re in the same blast radius as the giants, just without their airbag. They can sometimes shrug off an eight-figure incident. You can’t. The gangs do not care that you’re “just an SMB.” To them, you’re a softer target with fewer defenses and the same kind of valuable data.

SMOKE by INVISIQ exists for that exact reason: not to scare you, but to stop you being blind. It doesn’t magically fix vendors, but it does rip away the silence they rely on: it shortens the time between “there’s smoke around this vendor” and “we know, we understand, and we’re acting.”

If your honest answer to the question:

“How will we know when a vendor we rely on gets hacked?”

is “we’ll probably read about it somewhere,” then you don’t have a cybersecurity strategy. You have a wish. And wishes are exactly what these gangs are feeding on.

The fix is simple, not easy: stop being blind. Either build your own external radar, or let SMOKE by INVISIQ watch your vendors for you. But stop betting your entire business on “our vendor surely patched by now.”