Maine says MOVEit data breach compromised the data of 1.3m individuals

The government of Maine in the United States recently announced that the information of approximately 1.3 million individuals was compromised after cyber criminals exploited a software vulnerability to access its MOVEit server and download the stored data.

The government of Maine said it uses MOVEit, a third-party file transfer tool owned by Progress Software to send and receive data. It said that it was informed by Progress Software on 31st May about a critical security vulnerability in the software that was under active exploitation by cyber criminals.

The government said it conducted an investigation to assess the impact of the vulnerability exploitation and determined that hackers accessed its MOVEit server between 28th May and 29th May and downloaded information associated with several state government agencies.

"The State of Maine has determined that this incident has impacted approximately 1.3 million individuals, with the type of data affected differing from person to person. The State encourages individuals to reach out to its dedicated call center to verify if they were affected and, if so, to identify what specific data of theirs was involved," it said.

"The State also implemented security measures recommended by Progress Software, engaged the services of outside legal counsel, engaged external cybersecurity experts to investigate the nature and scope of the incident, and conducted an extensive investigation to determine what information was involved."

It added that the compromised information includes affected individuals’ names, SSNs, dates of birth, driver’s licences, state identification numbers, taxpayer identification numbers and certain types of medical and health insurance information.

Maine said there was a long delay in providing this information to the public as it carried out an extensive evaluation to identify the individuals whose information may have been impacted. "This thorough assessment was a critical component of Maine’s response, as it facilitated the State in providing notifications to those who may have been affected," it explained.

The state said it blocked Internet access to the compromised MOVEit server as soon as it detected the breach and later determined that the incident did not impact any other IT systems. Over 50% of the information compromised due to the security breach belonged to the Maine Department of Health and Human Services and up to 30% of the compromised data belonged to the Maine Department of Education.

The state government said it is offering two years of complimentary credit monitoring and identity theft protection services to individuals whose Social Security numbers or taxpayer identification numbers were accessed.