Pierluigi Paganini November 12, 2023

The State of Maine disclosed a data breach that impacted about 1.3 million people after an attack hit its MOVEit file transfer install.

The State of Maine was the victim of the large-scale hacking campaign that targeted organizations using the MOVEit file transfer tool. The Government organization disclosed a data breach that impacted about 1.3 million individuals. Threat actors exploited the zero-day vulnerability CVE-2023-34362 to hack the file transfer platform and steal the data of the organization. The security breach took place in the State between May 28, 2023, and May 29, 2023.

“On May 31, 2023, the State of Maine became aware of a software vulnerability in MOVEit, a third-party file transfer tool owned by Progress Software and used by thousands of entities worldwide to send and receive data. The software vulnerability was exploited by a group of cybercriminals and allowed them to access and download files belonging to certain agencies in the State of Maine between May 28, 2023, and May 29, 2023.” reads the notice of Security Incident.

The incident was limited to the MOVEit server of the State and did not impact any other State networks or systems.

The type of data accessed by the threat actors varies on the individual and their association with the State. Compromised data may include the Social Security number (SSN), date of birth, driver’s license/state identification number, and taxpayer identification number. The attackers also gained access to medical information and health insurance information of some individuals.

“As soon as the State became aware of the incident, the State took steps to secure its information, including by blocking internet access to and from the MOVEit server.” continues the incident. “The State also implemented security measures recommended by Progress Software, engaged the services of outside legal counsel, engaged external cybersecurity experts to investigate the nature and scope of the incident, and conducted an extensive investigation to determine what information was involved.”

The State of Maine is offering two years of complimentary credit monitoring and identity theft protection services to those individuals who had their Social Security numbers or taxpayer identification numbers exposed.

The State of Maine has set up a call center to help people determine if their data was involved, citizens can call (877) 618-3659 (Monday to Friday, 9 AM to 9 PM ET).

At the end of August, cybersecurity firm Emsisoft shared disconcerting details about the recent, massive hacking campaign conducted by the Cl0p ransomware group that targeted the MOVEit Transfer file transfer platform designed by Progress Software Corporation.

According to the experts, the attacks impacted approximately 1,000 Organizations and 60,144,069 individuals.

The data is sourced from state breach notifications, SEC filings, and other public disclosures, as well as the leak site maintained by the Cl0p group, and is current as of August 25, 2023.

The researchers reported that the attacks impacted tens of millions of individuals. Below is the list of organizations with the highest number of impacted individuals:

“U.S.-based organizations account for 83.9 percent of known victims, Germany-based 3.6 percent, Canada-based 2.6 percent, and U.K.-based 2.1 percent.” reads the report published by Emsisoft. “The most heavily impacted sectors are finance and professional services and education, which account for 24.3 percent and 26.0 percent of incidents respectively.”

The experts explained that is impossible to accurately calculate the cost of the MOVEit security breaches. However, using data from IBM’s “Cost of a Data Breach Report 2023” report, it is possible to estimate the cost. According to the report, data breaches cost an average of $165 USD per record, while the number of individuals impacted by the MOVEit campaign is 60,144,069, this suggests that the total cost is $9,923,771,385. However, Emsisoft highlighted that only a minority of victims have so far reported the number of individuals impacted.

If the same average number of individuals is confirmed to have been impacted for each of the remaining known incidents, the total cost of this campaign will reach $63,896,282,853.

Researchers from cybersecurity firm Resecurity also published a report that confirms the data shared by Emsisoft. As of August 23, Resecurity reported that 963 public and private sector organizations was hit by the MOVEit campaign.

“The most impacted sectors are finance, professional services, and education, which collectively account for over 48% of reported victims.” reported Resecurity. “Cl0p is anticipated to generate between $75 mm and $100 mm in primary ransom payouts, making it the most significant cyberattack of all time.”

me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, security breach)