What You Need to Know
- The state learned about the breach May 31.
- The breach mainly affected records related to health services and education.
- Officials say they determined which individuals might have been affected before announcing the breach.
The state of Maine has joined the list of entities hit hard by the Cl0p ransomware group attack on the MOVEit file transfer system.
Maine officials announced Thursday that the MOVEit breach may have exposed the personal information of 1.3 million people who have done business with Maine government agencies, including at least 534,194 Maine residents. Maine has a population of 1.4 million.
At least some of the records breached included driver’s license numbers, state identification card numbers, Social Security numbers, medical information and health insurance information.
Most of the records affected were gathered by the Maine Department of Health and Human Services or the Maine Department of Education, not by the agencies that handle matters such as collecting taxes and processing unemployment insurance claims.
What it means: Verifying the identities of clients who live in Maine, helping them get and maintain access to online account management systems, and monitoring their assets could get more complicated.
The breach: MOVEit has been a popular system for moving large, sensitive data files.
Many life insurance, health insurance, annuity, retirement services providers and investment managers have used MOVEit to perform tasks such as checking to see whether people are still alive and verifying people’s identities.
Cl0p, a group believed to be led by people from Russia, got into the MOVEit system computers in May. Cl0p asked the organizations that were using MOVEit for ransom money. Later, in August, Cl0p posted what it said were all of the records on the internet.
KonBriefing Research says the attack has affected more than 67 million people and 2,381 organizations around the world. Security experts think of it as a major breach, although still much smaller than the 2017 Equifax breach, which affected 147 million U.S. consumers.
Lawyers have filed more than 100 federal court and state court suits on behalf of consumers affected by the breach, against the managers of the MOVEit system and companies that were using the MOVEit system. The federal courts are trying to consolidate handling of pretrial discovery for the federal MOVEit cases in the U.S. District Court in Boston.
The Boston court is now busy reviewing motions filed by parties that want to have their cases handled separately, away from the multidistrict litigation process.
Maine: Maine officials said in a document on a MOVEit Global Security Incident website they created that they learned about the MOVEit breach May 31.
“This incident was specific and limited to Maine’s MOVEit server and did not impact any other state networks or systems,” officials said.
The type of data affected varies from person to person, and individuals who may have been affected should call special call centers to find out whether they were affected and, if so, what kinds of data might be involved, officials added.