State of Maine Latest Federal Victim of MOVEit Data Breach

The entire state of Maine is the latest victim of the MOVEit Transfer data breach compromise. Led by a Russa-linked ransomware gang, the Maine breach is believed to have impacted about 1.3 million people.

“On May 31, 2023, the State of Maine became aware of a software vulnerability in MOVEit, a third-party file transfer tool owned by Progress Software and used by thousands of entities worldwide to send and receive data. The software vulnerability was exploited by a group of cybercriminals and allowed them to access and download files belonging to certain agencies in the State of Maine between May 28, 2023, and May 29, 2023.” reads the notice of Security Incident.

The stolen information may include names, dates of birth, Social Security numbers, driver’s license numbers and state or taxpayer identification numbers as well as medical and health insurance information. 

In a statement released by the official Maine government website, the State shared that such information is stored for various reasons, such as residency, employment or interaction with a state agency. In addition, the State is engaged in data sharing agreements with other organizations to enhance the services it provides to its residents and the general public. 

State officials communicated to residents that steps were immediately taken to secure its information, including by blocking internet access to and from the MOVEit server. Additionally the official statement from the state of Maine reported that security measures were implemented upon the recommendation of Progress Software, as well as outside legal counsel and external cybersecurity experts to investigate the nature and scope of the incident.

This is not the first time that US federal agencies that utilize MOVEit, a popular file-transfer platform, have been targeted in cyber attacks. Earlier in the summer agencies ranging from the Department of Health and Human Services, the Department of Agriculture, and the General Services Administration, confirmed exposure to the MOVEit hack. 

The MOVEit data breach is easily the largest hack of 2023, having impacted thousands of companies since their inception in May 2023 when ransomware gang Clop began abusing a zero-day exploit of MOVEit. While Progress quickly issued a patch, some users of the service continued to be attacked because the patch had not yet been installed on their servers. 

According to data collected by GovSpend, a number of federal and state government agencies have purchased the MOVEit software, including NASA, the Treasury Department, Health and Human Services, arms of the Defense Department, and on a state leven, Colorado Department of Health Care Policy and Financing, Maryland Department of Human Services, and New York City Department of Education. A running tally maintained by Emsisoft shows that over 2,000 primarily U.S.-based organizations have reported being attacked, with data thefts affecting more than 62 million people.