The damage tally from the massive MOVEit data breach continues to go up, as a US government contractor is reporting that 8 to 11 million records of health data have been exposed.
The breach is with a company called Maximus, a contractor that administers aspects of Medicaid and Medicare as well as numerous other government programs. The Russian hacking group Cl0p has taken credit for the MOVEit data breach and has been shaking down various victims via its dark web site, and is now threatening to leak some 169 GB of stolen health data.
Compromise of government contractor adds to huge list of MOVEit data breach victims
The compromised health data belongs to participants in the programs that Maximus administers. The government contractor issued a statement indicating that this could include sensitive health information and Social Security numbers, but that the total damage is still being evaluated and that the cost of remediation will likely be north of $10 million.
The MOVEit data breach was first disclosed on May 31, and the list of victims has ballooned to at least 500 since then. Cl0p has been taking their time with extortion demands, for the most part posting them on its collection of web sites instead of negotiating directly with the compromised parties. The software is widely used for secure, encrypted file transfers between locations and organizations and a broad variety of both public and private entities make use of it. Among those impacted are public employee retirement programs in several states, a number of banks and insurance firms, county governments, health systems and universities. Breaches are also popping up all over the world, with UK-based sports betting giant Flutter Entertainment one of the most recent names to be extorted.
The cache of stolen health data adds to a collection of some 34.5 million records of personal information thought to be exposed thus far. Not all of the parties hit by the MOVEit data breach lost information as sensitive as that of Maximus, but whatever is taken will likely be made available to the general (criminal) public if the victim organization opts to not pay the ransom demand. Of course, even if the ransom is paid, it’s quite likely the stolen information will be sold on the black market at some later point.
Maximus is offering impacted parties free credit monitoring and is actively reaching out to those it has contact information for. Erfan Shadabi, cybersecurity expert with comforte AG, notes that the government contractor is potentially the most individually damaging breach to emerge from the MOVEit attack thus far due to the value of health data: “A breach in the healthcare sector is highly damaging due to the sensitive nature of the data involved. It exposes some of the most private personal and medical information of an already vulnerable section of the population, leading to identity theft, medical fraud, and financial losses for individuals and organizations. Such incidents erode trust, impact patient safety, and incur heavy legal and regulatory consequences. Organizations, especially in the healthcare sector, should prioritize data-centric security measures. By adopting robust data-centric security strategies, organizations can protect sensitive information at its core, mitigating the impact of potential breaches. Encrypted data, strict access controls, and continuous monitoring are essential components to safeguard personal and healthcare data effectively.”
Stolen health data adds to highly concerning cache of personal information
Some cybersecurity analysts believe that it could be over a year before the full impact of the MOVEit data breach shakes out. Scans conducted in late June found about 2,500 servers exposed on the open internet that could be vulnerable. About 70% of these servers are in the United States and about a third of the company’s clientele consists of large organizations with at least 10,000 employees.
The best hope for containing it would be to shut down Cl0p, but there seems to be little chance of that happening anytime soon. The group is now one of the biggest and most experienced on the market, in operation since at least early 2019 and responsible for similar third-party breaches at companies like Accelion and GoAnywhere that it got away with. The MOVEit data breach has now prompted a class action suit, with plaintiffs in Louisiana accusing publisher Progress Software of negligence given the company’s client roster of government contractors, banks, and patient care networks sitting on sensitive financial and health data.
A patch has been available on the day the central vulnerability in the MOVEit data breach was disclosed to the public, and other vulnerabilities discovered by bug hunters were gradually patched out up to July 5. But the patch must be manually applied, and Cl0p was likely active well before the vulnerability was discovered and disclosed. This likely informed their decision to not deploy their ransomware, allowing them to quietly gather more data for extortion before anyone was aware that they were rummaging around in networks.
At the moment the extent of the MOVEit data breach is being gradually revealed as Cl0p slowly lists more victims for extortion, something that could continue for months. The SEC has recently passed rules requiring publicly traded companies to disclose data breaches with an expected material impact within four days of discovery, but the new terms are not in effect until the end of August (and possibly for months longer for smaller businesses). Government contractors may also be under tighter new disclosure restrictions if they work in critical infrastructure fields.
Erich Kron, Security Awareness Advocate at KnowBe4, notes that the cat is pretty much out of the bag with this particular breach, but that organizations can use what happened to the unfortunate government contractor as a prompt to prepare for the next comparable incident: “It is just now starting to be clear what a bonanza of information has been impacted due to the MOVEit hack. The bad actors exploiting this flaw have gathered a treasure trove of personal and organizational information, and the extent of the information that has been compromised continues to be discovered. It’s critical for organizations that use software such as this, or any other software that contains or handles sensitive information, to have a process in place for quickly patching potentially impacted systems or employing mitigations to limit the chance of exposure through them. In addition, since a majority of malware is spread through simple phishing emails, it’s important that users and employees be educated and trained to be able to spot and report email phishing attacks quickly.”