The government of Maine has confirmed over a million individuals had personal information stolen in a data breach earlier this year by a Russia-linked ransomware gang.
In a statement published Thursday, the Maine government said hackers exploited a vulnerability in its MOVEit file-transfer system, which stored sensitive data on state residents. The hackers used the vulnerability to access and download files belonging to certain state agencies between May 28 and May 29, the statement read.
The Maine government said it was disclosing the incident and notifying affected individuals as its assessment of the impacted files “was recently completed.”
Maine said that the stolen information may include a person’s name, date of birth, Social Security number, driver’s license and other state or taxpayer identification numbers. Some individuals had medical and health insurance information taken.
The statement said the state holds information about residents “for various reasons, such as residency, employment, or interaction with a state agency,” and that the data it holds varies by person.
According to the state’s breakdown of which agencies are affected, more than half of the stolen data relates to Maine’s Department of Health and Human Services, with up to about a third of the data affecting the Maine’s Department of Education. The remaining data affects various other agencies, including Maine’s Bureau of Motor Vehicles and Maine’s Department of Corrections, though the government notes that the breakdown of information is subject to change.
It’s not known how recent the stolen data is or what years the stolen data pertains to.
Although more than 1.3 million people live in the state, Maine government spokesperson Sharon Huntley told TechCrunch by email on Friday that the breach is “not a match to the current population and out of state people were exposed as well.”
In its data breach notice filed with its own attorney general’s office, Maine’s government said 534,194 individuals — or 40% of all those affected — are state residents.
The Maine state government is the latest victim to disclose a breach related to the MOVEit mass hack, thought to be the largest hacking incident of the year by the numbers of victims alone.
MOVEit systems are file transfer servers used by thousands of organizations around the world to move large sets of often-sensitive data over the internet. In May, the system’s maker Progress Software fixed a vulnerability that allowed cybercriminals — specifically the notorious Clop ransomware and extortion gang — to mass-hack MOVEit servers around the world and steal the customers’ sensitive data stored inside.
According to cybersecurity firm Emsisoft, which has been tracking the mass exploitation, more than 2,500 organizations have disclosed MOVEit-related data breaches, affecting at least 69 million people — though the true number is likely to be far higher as more organizations come forward.
Emsisoft lists Maine’s security incident as the eleventh largest MOVEit-related breach disclosed at the time of writing, behind Ontario’s birth registry; the states of Colorado, Oregon, and Louisiana; and U.S. government contractor Maximus. Several U.S. federal agencies were also affected including the U.S. Department of Energy.
Clop has not yet listed Maine on its leak site as it has with other MOVEit-related victims. Ransomware gangs often publish portions of the stolen files to extort organizations into paying a ransom. The Clop gang has previously claimed it deletes government data. Cybercriminals are known to mislead or outright lie if it results in them getting paid, or retain the stolen data if it can be financially valuable elsewhere.
Clop is a Russia-speaking ransomware gang, which researchers have linked to previous mass-hacking incidents involving similar file transfer tools, including Fortra’s GoAnywhere file transfer tool and Accellion’s file transfer application.
Last week, Progress Software said in a regulatory filing that the U.S. Securities and Exchange Commission had subpoenaed the company seeking “various documents and information” related to the MOVEit vulnerability. Progress said it intends to “cooperate fully” with the SEC’s investigation.
Updated the first paragraph to clarify that Clop is linked to, but not necessarily backed by Russia, and on Friday with additional details from Maine’s spokesperson.