The Maine state government has confirmed leaking the personal information of over a million individuals in a MOVEit data breach.
Disclosing the security incident, the state government disclosed that hackers “exploited a vulnerability in a widely used file transfer tool, MOVEit,” which Progress Software owns.
The MOVEit hack is a critical (CVSS 9.8) SQL injection vulnerability CVE-2023-34362 exploited by the Russian Cl0p ransomware gang to compromise thousands of organizations worldwide.
Maine state government confirms MOVEit data breach
The state said it “recently concluded” an investigation that determined the Cl0p ransomware gang downloaded data from various state agencies before the zero-day vulnerability became public knowledge on May 31, 2023.
“The software vulnerability was exploited by a group of cybercriminals and allowed them to access and download files belonging to certain agencies in the State of Maine between May 28, 2023, and May 29, 2023,” said the state government.
Most of the information leaked was from the Maine Department of Health and Human Services (50%) and the Maine Department of Education (30%). However, the MOVEit data breach was restricted to a MOVEit server and never impacted the state government’s internal systems.
The state government of Maine said it responded by blocking internet access to the compromised MOVEit servers, engaging external legal and cybersecurity experts, applying mitigations recommended by Progress Software, and launching an investigation.
The probe determined that the MOVEit data breach leaked PII, including the victim’s name, date of birth, driver’s license, Social Security numbers, and taxpayer identification numbers. However, the information varied from one individual to another, and included medical and health insurance information for some.
The state estimated that the MOVEit data breach impacted 1.3 million individuals who have since been notified via mail, press releases, or email. Maine has a population of 1.372 million residents, suggesting that most, if not all, were impacted.
Explaining the extensive data stored and leaked, the Maine state government said it collected that information to facilitate service delivery.
“The State of Maine may hold information about individuals for various reasons, such as residency, employment, or interaction with a state agency. The State also engages in data sharing agreements with other organizations to enhance the services it provides to its residents and the public,” said the state government.
Meanwhile, the Maine state government is offering two years of complimentary credit monitoring and identity theft protection. The state has also created a dedicated website and provided a toll-free number (877) 618-3659 to support the MOVEit data breach victims.
The state also advised individuals to be vigilant for potential attacks and monitor their accounts for suspicious activity. They could also request their credit report and freeze their file to prevent abuse by fraudsters.
The Maine state government did not disclosed if the Cl0p ransomware gang demanded any ransom to avoid publishing the stolen information. No evidence suggests that the gang has published or misused Maine residents’ data.
“State and local governments manage a vast amount of sensitive data, including personally identifiable information (PII),” said Nick Tausek, Lead Security Automation Architect at Swimlane. “They must safeguard this data from third-party breaches by adopting a cyber defense program that leverages security automation to detect and respond to threats in real-time.”
The gift that keeps on giving
The state government of Maine is among over 2,500 entities affected by the MOVEit data breach worldwide, impacting over 70 million individuals.
Other victims include the federal government’s Department of Energy, Louisiana Office of Motor Vehicles, Oregon Department of Transportation, Colorado Department of Health Care Policy and Financing, Canada’s Nova Scotia provincial government, Maximus Healthcare Inc., the BBC, British Airways, Sony Interactive Entertainment (SIE), and IBM.
“Yet again, we see the MOVEit exploit continues to hit new victims across all sectors, with over 640 recorded so far,” said Darren Williams, CEO and Founder of BlackFog. “The catastrophic fallout from this hack has demonstrated a cold reality: a significant number of organizations are not prepared to fend off sophisticated breaches.”
File transfer tools have become attractive targets for cybercriminals. So far, the Cl0p ransomware gang has exploited vulnerabilities in the MOVEit, Accellion, and GoAnywhere file transfer systems.