The Maine government has confirmed that more than a million people had their personal information stolen in a data breach earlier this year by a Russian-linked ransomware gang.
In announcement published on Thursday, the Maine government said hackers exploited a vulnerability in the MOVEit file transfer system, which stored sensitive data on state residents. Hackers used the vulnerability to access and download files belonging to some government agencies between May 28 and May 29, the statement said.
The Maine government said it was disclosing the incident and notifying affected individuals as its assessment of the affected records was “recently completed.”
Maine said stolen information can include a person’s name, date of birth, social security number, driver’s license and other state or taxpayer identification numbers. Some people received medical and health insurance information.
The statement said the state holds information about residents “for a variety of reasons, such as residency, employment or interaction with a state agency,” and that the data it holds varies by individual.
According to the state’s breakdown of which agencies are affected, more than half of the stolen data is related to the Maine Department of Health and Human Services, with about a third of the data affecting the Maine Department of Education. The rest of the data affects various other agencies, including the Maine Bureau of Motor Vehicles and the Maine Department of Corrections, although the government notes that the analysis of the information is subject to change.
It is not known how recent the stolen data is or what years the stolen data belongs to.
Although more than 1.3 million people live in the state, Maine spokeswoman Sharon Hundley told TechCrunch via email on Friday that the breach “doesn’t match the current population, and out-of-state people were also exposed.”
Inside data breach notification filed with its attorney general’s office, the Maine government said 534,194 people — or 40 percent of all those affected — are state residents.
Maine state government is the latest victim to disclose a breach related to the massive MOVEit breach, considered the year’s largest hacking incident by victim count alone.
MOVEit systems are file transfer servers used by thousands of organizations around the world to transfer large sets of often sensitive data over the Internet. In May, system developer Progress Software patched a vulnerability that allowed cybercriminals — specifically the notorious Clop ransomware and extortion gang — to massively breach MOVEit servers around the world and steal sensitive customer data stored inside .
According to cybersecurity firm Emsisoft, which has tracking mass exploitationmore than 2,500 organizations have disclosed data breaches related to MOVEit, affecting at least 69 million people — though the actual number is likely to be much higher as more organizations come forward.
Emsisoft lists the Maine security incident as the eleventh largest MOVEit-related breach disclosed at the time of writing, behind the Ontario birth registry. the states of Colorado, Oregon and Louisiana; and US government contractor Maximus. Several US federal agencies were also affected, including the US Department of Energy.
Clop has yet to list Maine on his leak site, as he has with other MOVEit-related victims. Ransomware gangs often publish parts of stolen files to blackmail organizations into paying a ransom. The Clop gang has previously claimed to delete government data. Cybercriminals have been known to mislead or outright lie if it results in them getting paid or keep the stolen data if it can be financially valuable elsewhere.
Clop is a Russian-language ransomware gang that researchers have linked to previous mass hacking incidents involving similar file transfer tools, including Fortra’s GoAnywhere file transfer tool and Accellion’s file transfer app.
Last week, Progress Software said in a regulatory filing that the US Securities and Exchange Commission had subpoenaed the company seeking “various documents and information” related to the MOVEit vulnerability. Progress said it intends to “fully cooperate” with the SEC’s investigation.
Updated the first paragraph to clarify that Clop is connected to, but not necessarily supported by, Russia, and on Friday with additional details from the Maine representative.
