Missouri's Department of Social Services impacted by MOVEit Transfer hacking attack

Missouri’s Department of Social Services suffered a data breach after one of its service providers, IBM, was a victim of a cyber security incident as a result of the Clop ransomware gang exploiting a zero-day vulnerability in the MOVEit Transfer web application.

In a recent notice of data breach, the Missouri Department of Social Services (DSS) said that IBM, its service provider for Medicaid services, was a victim of the global cyber security incident resulting from the exploitation of a zero-day vulnerability in the MOVEit Transfer web application. This had a cascading effect on the agency as it works with IBM Consulting for several technology-focused services.

“The Missouri Department of Social Services (DSS) is responding to a May 2023 data security incident that occurred with IBM Consulting (IBM) that involved Progress Software’s MOVEit Transfer software.

“IBM is a vendor that provides services to DSS, the state agency that provides Medicaid services to eligible Missourians. The data vulnerability did not directly impact any DSS systems but impacted data belonging to DSS. DSS took immediate steps in response to this incident that are ongoing,” DSS said.

On June 13, IBM notified DSS about the data security incident and the agency immediately launched an investigation to understand the nature of the data compromised during the incident. It later concluded that the protected health information for Medicaid participants in Missouri was affected by the breach.

“The information involved in this incident may include an individual’s name, department client number (DCN), date of birth, possible benefit eligibility status or coverage, and medical claims information,” DSS explained.

The agency has, however, clarified that no financial information was compromised during the incident. Out of an abundance of caution, DSS has urged all Missouri Medicaid participants, who enrolled in May of 2023, to freeze their credit and monitor their credit reports for unusual activity.

“Due to the size and formatting of the files, it will take some time to complete this analysis. While this analysis is ongoing, DSS is sending letters to those individuals who are potentially impacted by this incident so that they can take steps to protect their personal information,” the agency said.

“Even though our investigation is ongoing, individuals can take steps now to freeze their credit for free, which stops others from opening new accounts and borrowing money in their name, while allowing them to continue to use existing credit cards or bank accounts,” it added.

Acknowledging the news of a data breach, in a statement shared with the media, an IBM spokesperson said that the impacted MOVEit file transfer application is “used in a small number of consulting engagements, with less than a handful having any personal data impacted.”

“IBM systems were not impacted by the breach. The Missouri Department of Social Services (DSS) used MOVEit Transfer, a non-IBM product, provided by a third-party supplier under an engagement with IBM Consulting to transfer files wherever they needed to go, not to IBM.

“IBM has worked in partnership with the Missouri Department of Social Services to determine and minimize the impact of the incident involving MOVEit Transfer, a non-IBM data transfer program provided by Progress Software. Upon receiving a security bulletin from Progress, we severed interaction of MOVEit Transfer with the department’s IT systems to avoid any further impact to Missouri citizens and their data,” the spokesperson added.