State of Maine discloses a data breach

The State of Maine was the victim of the large-scale hacking campaign that targeted organizations using the MOVEit file transfer tool. The Government organization disclosed a data breach that impacted about 1.3 million individuals.

Threat actors exploited the zero-day vulnerability CVE-2023-34362 to hack the file transfer platform and steal the data of the organization. The security breach took place in the State between May 28, 2023, and May 29, 2023.

The incident was limited to the MOVEit server of the State and did not impact any other State networks or systems. The type of data accessed by the threat actors varies on the individual and their association with the State. Compromised data may include the Social Security number, date of birth, driver’s license/state identification number, and taxpayer identification number. The attackers also gained access to medical information and health insurance information of some individuals.

“As soon as the State became aware of the incident, the State took steps to secure its information, including by blocking internet access to and from the MOVEit server.The State also implemented security measures recommended by Progress Software, engaged the services of outside legal counsel, engaged external cybersecurity experts to investigate the nature and scope of the incident, and conducted an extensive investigation to determine what information was involved.”

The State of Maine is offering two years of complimentary credit monitoring and identity theft protection services to those individuals who had their Social Security numbers or taxpayer identification numbers exposed.

The State of Maine has set up a call center to help people determine if their data was involved, citizens can call (877) 618-3659 (Monday to Friday, 9 AM to 9 PM ET).

At the end of August, cybersecurity firm Emsisoft shared disconcerting details about the recent, massive hacking campaign conducted by the Cl0p ransomware group that targeted the MOVEit Transfer file transfer platform designed by Progress Software Corporation.

According to the experts, the attacks impacted approximately 1,000 Organizations and 60,144,069 individuals.

The data is sourced from state breach notifications, SEC filings, and other public disclosures, as well as the leak site maintained by the Cl0p group, and is current as of August 25, 2023.