Maine disclosed one of the most extensive U.S. state-affiliated MOVEit breaches to date, one that's representative of a compromise of its entire population.
“Maine has determined that this incident has impacted approximately 1.3 million individuals, with the type of data affected differing from person to person,” the state said Thursday.
Maine’s estimated population was 1,385,000 as of July 2022, according to the U.S. Census Bureau. The level of exposure on an individual basis places Maine as the 11th-largest breach related to the spree of attacks against MOVEit customers to date, according to Emsisoft.
Personal and sensitive information stored on Maine’s MOVEit server was accessed and stolen between May 28 and May 29, according to Maine’s notice. Clop’s mass exploitation of the zero-day vulnerability in MOVEit was underway before Progress disclosed the vulnerability on May 31.
Nearly 2,600 organizations have been impacted and victims continue to come forward. Maine isn’t the first, and it's far from the largest, state or government agency to be impacted.
Government contractor Maximus, in the largest breach tied to MOVEit to date, said the personally identifiable information of about 11 million people was exposed. Breaches at the the Louisiana Office of Motor Vehicles, Alogent, the Colorado Department of Health Care Policy and Financing, and the Oregon Department of Transportation round out the top five MOVEit incidents, according to Emsisoft analysis. All told, those breaches represent the compromise of more than 29 million individuals.
Files held by state agencies span health and human services, education, financial services, workers’ compensation, motor vehicles, corrections, economic and community development, human resources, financial regulation and unemployment compensation were stolen.
“Maine carried out an extensive evaluation to identify the individuals whose information may have been impacted,” Maine said in the disclosure. “This assessment of the impacted files was recently completed, and, as a result, the state is now actively notifying the impacted individuals.”
The extent of damage caused in Maine underscores the mass exposure an approved and accredited file-transfer service, which meets regulatory compliance requirements, can cause when threat actors find a way to gain access and hit thousands of downstream victims.
Some of the world’s largest financial institutions, law firms, insurance providers, healthcare firms, education service providers and government agencies have been hit by this slow-moving disaster.