The State of Maine has announced that its systems were breached after threat actors exploited a vulnerability in the MOVEit file transfer tool and accessed personal information of about 1.3 million, which is close to the state’s entire population.
MOVEit attacks were part of a massive data theft campaign from the Clop ransomware gang who, on May 27, started to exploit a zero-day vulnerability in the software product.
Various Maine state agencies were among the thousands of organizations worldwide using the Progress Software data transfer product.
“On May 31, 2023, the State of Maine became aware of a software vulnerability in MOVEit, a third-party file transfer tool owned by Progress Software and used by thousands of entities worldwide to send and receive data,” reads the press release.
“The software vulnerability was exploited by a group of cybercriminals and allowed them to access and download files belonging to certain agencies in the State of Maine between May 28, 2023, and May 29, 2023” – The State of Maine
The exposed information belonging to 1.3 million individuals, including minors, concerns the following data types:
- Full name
- Social Security number (SSN)
- Date of birth
- Driver’s license
- State identification number
- Taxpayer identification number
- Health insurance information
The exact data types exposed for each individual varies depending on their interaction with Maine’s state agencies.
The most impacted agency was Maine’s Department of Health and Human Services, followed by the Maine Department of Education.
Other departments affected by the MOVEit breach, albeit to a lesser extent, are the Administrative and Financial Services, Workers’ Compensation, Bureau of Motor Vehicles, Corrections, Economic and Community Development, Professional and Financial Regulation, and Labor.
The State of Maine explains that the delay in notifying the public about the exposure of sensitive data was due to conducting a thorough investigation.
All affected citizens whose SSNs or tax information was exposed will receive notifications with instructions for opting for free-of-charge two-year credit monitoring and identity theft protection services.
Recipients are advised to regularly monitor their financial accounts for suspicious activity or charges they don’t recognize and contact their bank and/or law enforcement authorities to report it as soon as possible.
The State of Maine has also set up a dedicated call center to address people’s concerns about this security incident at (877) 618-3659 (Monday to Friday, 9 AM to 9 PM ET).