In a report released online on November 9, the Maine government officially confirmed that a group of cybercriminals exploited a well-known vulnerability in the MOVEit data-transfer tool. This security breach occurred between May 28 and 29, allowing unauthorized access to files owned by the State of Maine.
The incident, as per the Maine government website, was contained to the MOVEit server, with no impact on other state networks or systems. Nevertheless, the breach compromised information on 1.3 million individuals, and the type of data exposed varied from person to person. Potentially affected information includes names, Social Security numbers (SSNs), dates of birth, driver’s license or state identification numbers, taxpayer identification numbers, medical information, and health insurance details.
Upon detecting the breach, the state took immediate action by securing its information. Internet access to the MOVEit server was blocked, and security measures recommended by Progress Software were implemented. The state also initiated an investigation into the cyber incident, collaborating with legal counsel and cybersecurity experts.
Maine is the latest victim in a series of MOVEit attacks that have targeted various entities, including Shell, Gen Digital, National Student Clearinghouse, Maximus Inc., Estée Lauder, and a Colorado government department, among others.
Darren Williams, CEO and founder at BlackFog, commented on the situation, stating, “Yet again, we see the MOVEit exploit continuing to hit new victims across all sectors, with more than 640 recorded so far. The catastrophic fallout from this hack has demonstrated a cold reality: a significant number of organizations are not prepared to fend off sophisticated breaches.”
For those affected by the data breach, Maine offers resources. Individuals can contact the state’s call center to check if their data was compromised, and if so, they will receive two years of credit monitoring and identity theft protection services if their SSN or taxpayer identification numbers were involved. The state is actively notifying affected individuals through various channels, including emails and letters.
A statement on the Maine website urges affected individuals to stay vigilant by regularly reviewing their accounts and monitoring credit reports for suspicious activity. Darren Williams emphasized the crucial responsibility of governments to secure the vast amounts of data belonging to their residents, stressing the need for the adoption of cutting-edge technologies and proactive strategies to ensure the utmost protection for citizens.