The government of Maine has officially acknowledged a data breach affecting in excess of one million residents. The incident, which occurred earlier this year, was executed by a ransomware group linked to Russia. According to an official statement released on Thursday, the attackers exploited a vulnerability within the state’s MOVEit file-transfer system, housing sensitive information pertaining to residents. The breach transpired between May 28 and May 29, during which hackers accessed and downloaded files from specific state agencies.
The disclosure and notification to affected individuals come after the completion of the state’s assessment of the compromised files. The pilfered information encompasses personal details such as names, dates of birth, Social Security numbers, driver’s license information, and other state or taxpayer identification numbers. In certain cases, medical and health insurance data were also compromised. The state clarified that the diversity of data held is contingent on individual interactions with state agencies.
As delineated by the state, more than half of the purloined data pertains to Maine’s Department of Health and Human Services, with approximately a third affecting the Department of Education. The remaining data concerns various other agencies, including the Bureau of Motor Vehicles and the Department of Corrections, with the caveat that the breakdown is subject to change.
The state of Maine, home to over 1.3 million people, becomes the latest victim to disclose a breach associated with the MOVEit mass hack, considered the largest hacking incident of the year in terms of the number of victims affected. MOVEit systems, employed by numerous organizations globally for secure file transfers, suffered a vulnerability that cybercriminals, specifically the Clop ransomware gang, exploited to compromise servers and pilfer sensitive customer data. Cybersecurity firm Emsisoft, tracking the mass exploitation, reports over 2,500 organizations disclosing MOVEit-related breaches, affecting at least 69 million individuals.
Emsisoft ranks Maine’s security incident as the eleventh largest MOVEit-related breach at the time of reporting. The Clop ransomware gang, known for publishing stolen files to extort organizations, has not yet listed Maine on its leak site. Progress Software, the maker of MOVEit, revealed in a recent regulatory filing that the U.S. Securities and Exchange Commission (SEC) has subpoenaed the company for documents and information related to the MOVEit vulnerability. Progress Software expressed its intent to fully cooperate with the SEC’s investigation.
