MOVEit Hack Impacts 1.3 Million Residents of Maine

Maine has joined the list of entities severely impacted by a cyberattack exploiting a zero-day vulnerability in Progress Software’s MOVEit file transfer tool. This critical security flaw, an unauthenticated SQL injection, allowed a notorious ransomware group to infiltrate and access data moving through MOVEit.

The attack's reach is extensive, with cybersecurity experts at Emsisoft reporting over 2,500 organizations and approximately 69 million individuals affected globally. Within this vast number, the State of Maine has identified 1.3 million of its residents as victims of the breach, as announced in their recent statement.

This breach exposed a variety of personal data, including names, birth dates, Social Security numbers, driver’s license or state ID numbers, taxpayer identification numbers, and, for some, medical and health insurance information. The State of Maine manages and holds this information for various purposes, ranging from residency and employment records to interactions with state agencies. Additionally, the state participates in data sharing agreements to enhance its service offerings.

Investigations reveal that on May 28th and 29th, hackers accessed and downloaded files from several Maine state agencies via the compromised MOVEit server. However, they confirmed that no other systems were breached. The Department of Health and Human Services was the most affected, with over half of the compromised files pertaining to it, followed by the Department of Education.

In response to the incident, Maine took immediate measures to secure its data, including cutting off internet access to and from the affected MOVEit server. The state has begun the process of notifying individuals impacted by the breach and is offering them free credit monitoring and identity theft protection services to mitigate the potential aftermath of the attack.