More than 1 million people who had contact with Maine state agencies have been caught up in a Russian gang’s international cybersecurity breach, potentially exposing their Social Security numbers, dates of birth and other confidential information, state officials said Thursday.
The Department of Administrative and Financial Services is notifying people who may have been affected by what it called a “global cybersecurity incident” that occurred May 28 and May 29 concerning the file transfer tool, MOVEit. The state is among several thousand organizations affected by software vulnerability that allowed cybercriminals to access and download data, the state said in an announcement about the breach. It affected industries such as insurance, finance, education, health and government.
The breach, which affected 1.3 million people, exposed data on more than half of the state Department of Health and Human Services workers and between 10% and 30% of the employees at the Department of Education. Maine’s population is 1.37 million people.
Other affected agencies are the Office of the Controller, Workers’ Compensation, Bureau of Motor Vehicles, Department of Corrections, Department of Economic and Community Development, Bureau of Human Resources, Department of Professional and Financial Regulation, and the Bureau of Unemployment Compensation.
Once the breach was discovered, the state sought to identify people whose information might have been compromised. The assessment of those affected took months and was recently completed. The state is now notifying individuals using a press release issued nationwide, the U.S. Postal Service and email.
The exploited program, MOVEit, a file-transfer platform made by Progress Software Corp., is widely used by businesses to share files, The Associated Press reported in June. The breach was blamed on a Russian cyber-extortion gang’s hack of a file-transfer program popular with corporations and governments.
The incident in May was specific and limited to Maine’s MOVEit server and did not impact any other state networks or systems, according to information posted on the state’s website.
Maine agencies hold information about people related to residency, employment or interaction with a state agency. The state also engages in data sharing agreements with other organizations to enhance the services it provides.
THOUSANDS OF BREACHES
The incident is the latest in a string of Maine cyber breaches that have become commonplace. The Office of the Maine Attorney General keeps a log of data breach notifications. Since June of 2020, there have been more than 3,000 entries.
In March, a breach occurred that affected 35,000 Mainers. PharMerica Corp., a Kentucky-based pharmacy services company, said hackers stole names, Social Security numbers, insurance information and medication history from the records of 5.8 million people nationwide.
In April, 20,000 Mainers received a notice that hackers had accessed their Social Security numbers, Medicare member numbers and health plan subscriber numbers from the database of NationsBenefits, a health insurance administrator in Florida.
Also in April, a data breach at California-based NextGen Healthcare exposed electronic health records of more than 1 million people, including 3,900 Mainers.
Besides creating anxiety for consumers, these breaches represent mounting costs for businesses and agencies that oversee data systems.
The average cost of a data breach reached an all-time high this year, about $4.5 million, up 2.3% from 2022, according to a report by IBM Security, “Cost of a Data Breach Report 2023.” The average cost has increased 15.3%, from $3.9 million, in 2020. Health care data breach costs have increased 53.3% since 2020 and for the 13th consecutive year, the health care industry reported the most expensive data breaches, at an average cost of $10.9 million, according to the report.
Participants in the IBM report were almost equally split on whether they plan to increase security investments because of data breaches. The top areas identified for more spending include incident response planning and testing, employee training, and threat detection and response technologies.
MAINE RESPONSE
Maine officials said they blocked internet access to and from the MOVEit server and applied security measures to patch the vulnerability once it was discovered. The state also hired lawyers, sought the expertise of external cybersecurity professionals to investigate the scope of the problem, and looked to identify people whose information may have been affected when the breach first occurred.
The state has established a website, www.maine.gov/moveit-global-data-security-incident, to provide the latest information concerning the hack. A dedicated call center has been established to answer questions. It can be reached at 877-618-3659, with representatives available from 9 a.m. to 9 p.m. Monday to Friday.
Emsisoft, a New Zealand anti-virus software company, said more than 2,500 organizations and 67.6 million individuals have been affected by the MOVEit breach. It cited state breach notifications, filings with the U.S. Securities and Exchange Commission, other public disclosures and the website of Clop, the ransomware organization accused of stealing information.
Staff Writer Hannah LaClaire contributed to this report.
This story was updated at 11:30 a.m. Friday to change the percent of state employees affected by the breach to the percent of data exposed within the Department of Health and Human Services and the Department of Education, according to information provided by the state. It was changed again at 4:15 p.m. to restore the original language, which was correct.
Send questions/comments to the editors.