Government service provider Maximus falls victim to MOVEit attack

Government services provider Maximus Inc. becomes the latest victim of the Clop ransomware gang, which targeted a critical vulnerability in Progress Software Corp.'s MOVEit file transfer software, stealing the data of as many as 11 million people .

Maximus, which provides services for Medicaid, Medicare, health care reform, employment benefits, and student loans, disclosed in a filing with the U.S. Securities and Exchange Commission that it had been hacked. The July 26 filing said the company became aware that its data may have been compromised after it was revealed that its MOVEit file transfer software had been compromised on May 31. However, the specific date on which it was detected that its internal systems were also compromised was not stated. .

After ordering an investigation into the incident, Maximus discovered that data belonging to at least 8 million to 11 million individuals was affected. The stolen data included personal information such as social security numbers, protected health information, and personally identifiable information.

Maximus has notified affected customers and is cooperating with federal and state regulators. Customers also receive free credit monitoring and identity restoration services.

What is not clear from this disclosure is whether the victims were solely in the United States or in other countries. Although reports refer to Maximus as a “U.S. government contractor,” the company also provides services to governments in other English-speaking countries, including Canada, the United Kingdom, and Australia.

Maximus is not the first organization to be compromised by the MOVEit vulnerability. On June 7, it was reported that the BBC, British Airways, and pharmacy chain Boots UK Ltd may have had their payroll data stolen as a result of his MOVEit attack. On June 15, the list of known victims expanded to include the U.S. Department of Energy, Shell Corporation, UnitedHealthcare Student Resources, University of Georgia, University System of Georgia, Heidelberger Druckmaschinen AG, and Randall Green-Parks. Ta.

MOVEit is managed file transfer software designed to provide secure and compliant file transfer of sensitive data within and between organizations. The vulnerability, officially designated CVE-2023-34362, allows an unauthenticated, remote attacker to send a specially crafted SQL injection to a vulnerable MOVEit Transfer instance.

“This large-scale exploitation of the MOVEit vulnerability once again proves the importance of securing the software supply chain when it comes to data privacy,” Ray Kelly, a fellow in the Synopsys Software Integrity Group, told SiliconANGLE . “The takeaway for business leaders is clear: All it takes for him to have one vulnerability in his one piece of a third-party vendor's software is that personally identifiable information is lost in every organization the vendor serves.” It can be compromised and leaked.”

Erfan Shadabi, cybersecurity expert at data security specialist Comfort AG, warned that a breach in the healthcare sector would be extremely costly given the sensitivity of the data involved.

The breach “exposes some of the most private personal and medical information of an already vulnerable population, leading to identity theft, healthcare fraud, and financial loss for individuals and organizations,” Shadavi said. Stated. “Such incidents undermine trust, impact patient safety, and have significant legal and regulatory consequences.”

Image: Maximus