State of Maine MOVEit Breach Exposes 1.3M People's Data

Some records exposed included driver's license numbers and Social Security numbers.

The state of Maine has joined the list of entities hit hard by the Cl0p ransomware group attack on the MOVEit file transfer system.

Maine officials announced Thursday that the MOVEit breach may have exposed the personal information of 1.3 million people who have done business with Maine government agencies, including at least 534,194 Maine residents. Maine has a population of 1.4 million.

At least some of the records breached included driver’s license numbers, state identification card numbers, Social Security numbers, medical information and health insurance information.

Most of the records affected were gathered by the Maine Department of Health and Human Services or the Maine Department of Education, not by the agencies that handle matters such as collecting taxes and processing unemployment insurance claims.

What it means: Verifying the identities of clients who live in Maine, helping them get and maintain access to online account management systems, and monitoring their assets could get more complicated.

 The breach: MOVEit has been a popular system for moving large, sensitive data files.

Many life insurance, health insurance, annuity, retirement services providers and investment managers have used MOVEit to perform tasks such as checking to see whether people are still alive and verifying people’s identities.

Cl0p, a group believed to be led by people from Russia, got into the MOVEit system computers in May.  Cl0p asked the organizations that were using MOVEit for ransom money. Later, in August, Cl0p posted what it said were all of the records on the internet.

KonBriefing Research says the attack has affected more than 67 million people and 2,381 organizations around the world. Security experts think of it as a major breach, although still much smaller than the 2017 Equifax breach, which affected 147 million U.S. consumers.

Lawyers have filed more than 100 federal court and state court suits on behalf of consumers affected by the breach, against the managers of the MOVEit system and companies that were using the MOVEit system. The federal courts are trying to consolidate handling of pretrial discovery for the federal MOVEit cases in the U.S. District Court in Boston.

The Boston court is now busy reviewing motions filed by parties that want to have their cases handled separately, away from the multidistrict litigation process.

Maine: Maine officials said in a document on a MOVEit Global Security Incident website they created that they learned about the MOVEit breach May 31.

“This incident was specific and limited to Maine’s MOVEit server and did not impact any other state networks or systems,” officials said.

The type of data affected varies from person to person, and individuals who may have been affected should call special call centers to find out whether they were affected and, if so, what kinds of data might be involved, officials added.

Contact information for the call centers is available on the security incident website.

Maine took steps to block access to its MOVEit server and implement other security measures as soon as it learned about the breach, officials said.

The state also hired outside lawyers and outside cybersecurity experts to help it investigate the nature and scope of the incident.

The state is offering two years of free credit monitoring and identity theft protection services to individuals whose Social Security numbers or taxpayer identity numbers were involved.

The timing: Maine requires state-regulated entities affected by data breaches to report the breaches, and the state’s Office of the Maine Attorney General runs a breach reporting site that has given MOVEit breach observers comprehensive information about the number of organizations and people affected.

A person subject to the breach notification rules must notify Maine about a breach “no more than 30 days after the person … becomes aware of a breach of security and identifies its scope,” according to the statute.

Maine announced the breach affecting the Maine MOVEit server 162 days, and 112 business days, after May 31.

Maine talks about the timing of the announcement in a security incident website section with the heading, “Why Am I Hearing About This Now?”

“The state of Maine carried out an extensive evaluation to identify the individuals whose information may have been impacted,” according to the site. “This thorough assessment was a critical component of Maine’s response, as it facilitated the state in providing notifications to those who may have been affected. This assessment of the impacted files was recently completed, and, as a result, the state is now actively notifying the impacted individuals through various communication channels, including through a nationwide media press release, letter mail and/or email.”

MOVEit’s Reaction: A representative for the Progress Software team in charge of MOVEit issued the following statement:

“When we discovered the vulnerability in MOVEit Transfer and MOVEit Cloud, we worked quickly to provide initial mitigation strategies, deployed a patch on May 31 (within 48 hours of discovery) that fixed the vulnerability and communicated directly with our customers so they could take action to harden their environments.

“An advanced and persistent threat actor used a sophisticated, multi-stage attack to exploit this zero day vulnerability. MOVEit Transfer is on premises software run within our customer’s environments; we don’t have visibility into our customers’ MOVEit Transfer environments, including what was being held in the environment or any data that may have been accessed by the cybercriminals.

“As we see disclosures in the media regarding the type of information that has been stolen, we empathize deeply with the individual end-users who have been impacted by this attack. We are committed to playing a collaborative role in the industry-wide effort to combat cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products.”

The Portland Breakwater Light in South Portland, Maine, helps guide ships through Portland Harbor. Credit: Jane/Adobe Stock