View All R&D Articles

State of Maine Becomes Latest Victim of MOVEit Hack

November 10, 2023

The state government of Maine has announced a major cybersecurity incident, which may have exposed the personally identifiable information (PII) of nearly all of the state’s residents.

“On May 31, 2023, the State of Maine became aware of a software vulnerability in MOVEit, a third-party file transfer tool owned by Progress Software and used by thousands of entities worldwide to send and receive data,” the state writes on an information page concerning the incident.

“The State of Maine has determined that this incident has impacted approximately 1.3 million individuals, with the type of data affected differing from person to person. The State encourages individuals to reach out to its dedicated call center to verify if they were affected and, if so, to identify what specific data of theirs was involved.”

Maine has an estimated population of 1.372 million, as of 2021 — meaning that the attack may have impacted every member of the populace. The stolen data may have included:

  • Names and birthdates.
  • Social Security numbers and taxpayer identification numbers.
  • Driver’s license and state identification (ID) numbers.
  • Medical and health insurance information.

Engadget reports that over 50% of the stolen data came from the Maine Department of Health and Human Services. The state government is offering two years of complimentary identity theft protection and credit monitoring services to victims whose tax IDs and social security numbers were compromised.

The MOVEit hack is believed to be the work of the CL0p ransomware gang.

Cl0p (sometimes written as “Clop”) is a ransomware-as-a-service group, which sells malicious software to other bad actors in exchange for a portion of the ransom or the stolen data. The Justice Department has offered a reward of up to $10 million for information regarding the group’s identities and activities.

The MOVEit Transfer hack has been the group’s crowning achievement: Clop exploited a zero-day vulnerability to compromise the tool, leading to waves of data breaches that have impacted thousands of businesses.

Progress Software, the makers of MOVEit Transfer, quickly released a patch when the vulnerability became known. However, not all businesses applied the patch — and Clop’s actors have used the tool to distribute ransomware and steal data to re-sell on the dark web.

And while Clop claims that they don’t target private individuals — even offering to erase data stolen from government agencies — ransomware groups don’t have a great track record for honesty. We would advise Maine residents to take advantage of complimentary credit monitoring services, at least until federal authorities catch up to Clop.

The state of Maine claims to have taken immediate action to mitigate the threat.

“As soon as the State became aware of the incident, the State took steps to secure its information, including by blocking internet access to and from the MOVEit server,” the state writes. 

“The State also implemented security measures recommended by Progress Software, engaged the services of outside legal counsel, engaged external cybersecurity experts to investigate the nature and scope of the incident, and conducted an extensive investigation to determine what information was involved.”

Residents of Maine can contact a dedicated call center at (877) 618-3659 to determine whether their taxpayer identification numbers or social security numbers were compromised in the incident. 

We anticipate additional attacks utilizing the MOVEIt Transfer vulnerability — and that’s a fairly safe bet, since many enterprises do not patch software regularly or review their security controls. We strongly recommend reevaluating disaster recovery strategies every few years, particularly when utilizing third-party software for administration, file transfers, and other key activities.

For guidance, organizations can contact the ransomware experts at Datarecovery.com by calling 1-800-237-4200. With resources for ransomware recovery, penetration (PEN) testing, and dark web monitoring, we help clients respond to the threat of ransomware — and build resilient, self-sustainable strategies.