Cyberattack in Maine compromised data of nearly entire state population

State agencies in Maine have fallen victim to cybercriminals exploiting a vulnerability in the MOVEit file transfer tool, adding to the growing list of those affected by the widespread attack associated with this software.

The state government’s official cybersecurity announcement revealed that about 1.3 million individuals were impacted, essentially encompassing the entire population of Maine. The MOVEit program vulnerability was discovered on May 31st this year, but attackers managed to access and download files from various state agencies on May 28th and 29th.

Government reports indicate the nature of the stolen data varies depending on an individual's interactions with specific agencies. However, the cybercriminals acquired names, social security numbers, birth dates, driver's license and state ID numbers, as well as tax identification numbers. In some instances, medical information and health insurance data were also compromised. Over 50 percent of the stolen data pertained to Maine’s Department of Health and Human Services and the Department of Education.

Upon learning of the incident, the state government immediately cut off internet access to and from the MOVEit server. Nevertheless, since the attackers had already extracted resident information, the state is now offering two years of free credit monitoring and identity theft protection services to those whose social security and tax identification numbers were compromised. TechCrunch notes that the Clop group, believed to be behind earlier incidents, has not yet published the stolen data from Maine's state agencies.

Clop has also acknowledged its role in a previous hacking incident involving the New York Department of Education, where information about approximately 45,000 students was stolen. The exploiters, utilizing the vulnerability, have targeted not just government bodies but companies worldwide. Among them are Sony and Maximus Health Services, Inc, an American government contractor, whose breach is currently the largest incident linked to MOVEit.

The Securities and Exchange Commission has initiated an investigation into Progress Software, the creator of MOVEit.