Data of 1.3 million people living in Maine was stolen in a Russian gang’s international cybersecurity breach – the state has a population of 1.37 million.
The Department of Administrative and Financial Services is notifying residents of the incident, revealing their date of birth, driver’s license number, social security number and health and medical information that may have been stolen during the hack.
The attack was a ‘global cybersecurity incident’ on May 28 and May 29 concerning the file transfer tool MOVEit, which also saw 632,000 US federal employees within the US Departments of Defense and Justice accessed during the breach.
Other government agencies, major pension funds and private businesses have also been affected.
The state said it began taking steps to patch the vulnerability and engaged with experts and legal counsel.
Data of 1.3 million people living in Maine was stolen in a Russian gang’s international cybersecurity breach
It is thought that the Russian hackers were able to exploit a flaw in a software app called MOVEit Transfer, used by companies worldwide to transfer files.
In late May, the Russian-speaking gang of hackers known as CLOP began leveraging a new flaw, or exploit, discovered in a widely used file-transfer software known as MOVEit.
The hackers seemed to penetrate as many vulnerable organizations as they could identify.
‘This event has had a global impact, affecting thousands of organizations, including certain agencies in the State of Maine.
Maine has a population of 1.37 million, making nearly all of its residents victims of the attack in May
‘While impacted individuals may receive notice of this incident separately, we are sharing details broadly on our website. Please visit this website for the latest updates relating to this incident.’
The state created a website devoted to the breach.
People are encouraged to call a toll-free number to check whether their critical information was accessed.
If it was, then the state will provide free credit monitoring.
The breach also impacted several agencies: the Office of the Controller, Workers’ Compensation, Bureau of Motor Vehicles, Department of Corrections, Department of Economic and Community Development, Bureau of Human Resources, Department of Professional and Financial Regulation, and the Bureau of Unemployment Compensation.
Over 40 percent of the Maine Department of Health and Human Services staff were impacted, up to 30 percent of the Maine Department of Education, and the others had less than one percent.
‘Some State Departments/Agencies/Divisions, including Maine Revenue Services, Center for Disease Control & Prevention, and Department of Public Safety – Gambling Control Unit, had fewer than 10 individuals impacted by the incident, the official website states.
Maine is just now revealing the breach to its residents, but the public has been aware of attacks by the group since June.
The Department of Energy and several other federal agencies were compromised in the same attack.
Other victims included Louisiana’s Office of Motor Vehicles, Oregon’s Department of Transportation, the Nova Scotia provincial government, British Airways, the British Broadcasting Company and the U.K. drugstore chain Boots.
The parent company of MOVIEit’s U.S. maker, Progress Software, alerted customers to the breach on May 31 and issued a patch.
But cybersecurity researchers said scores, if not hundreds of companies, likely had sensitive data quietly exfiltrated by then.
