Skip to main content
close search
site logo

For Maine, the MOVEit attack is personal

With 1.3 million individuals compromised, the level of exposure on an individual basis is one that’s representative of a compromise of its entire population.

Published Nov. 10, 2023
Matt Kapko's headshot
Senior Reporter
Portland, Maine
"Portland, Maine" by Me in ME is licensed under CC BY 2.0

Maine disclosed one of the most extensive U.S. state-affiliated MOVEit breaches to date, one that's representative of a compromise of its entire population.

“Maine has determined that this incident has impacted approximately 1.3 million individuals, with the type of data affected differing from person to person,” the state said Thursday.

Maine’s estimated population was 1,385,000 as of July 2022, according to the U.S. Census Bureau. The level of exposure on an individual basis places Maine as the 11th-largest breach related to the spree of attacks against MOVEit customers to date, according to Emsisoft.

Personal and sensitive information stored on Maine’s MOVEit server was accessed and stolen between May 28 and May 29, according to Maine’s notice. Clop’s mass exploitation of the zero-day vulnerability in MOVEit was underway before Progress disclosed the vulnerability on May 31.

Nearly 2,600 organizations have been impacted and victims continue to come forward. Maine isn’t the first, and it's far from the largest, state or government agency to be impacted.

Government contractor Maximus, in the largest breach tied to MOVEit to date, said the personally identifiable information of about 11 million people was exposed. Breaches at the the Louisiana Office of Motor Vehicles, Alogent, the Colorado Department of Health Care Policy and Financing, and the Oregon Department of Transportation round out the top five MOVEit incidents, according to Emsisoft analysis. All told, those breaches represent the compromise of more than 29 million individuals.

Files held by state agencies span health and human services, education, financial services, workers’ compensation, motor vehicles, corrections, economic and community development, human resources, financial regulation and unemployment compensation were stolen.

“Maine carried out an extensive evaluation to identify the individuals whose information may have been impacted,” Maine said in the disclosure. “This assessment of the impacted files was recently completed, and, as a result, the state is now actively notifying the impacted individuals.”

The extent of damage caused in Maine underscores the mass exposure an approved and accredited file-transfer service, which meets regulatory compliance requirements, can cause when threat actors find a way to gain access and hit thousands of downstream victims.

Some of the world’s largest financial institutions, law firms, insurance providers, healthcare firms, education service providers and government agencies have been hit by this slow-moving disaster.

Filed Under: Breaches, Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
Latest in Breaches
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell