In another data breach incident related to MOVEit, a US government services contractor named Maximus has become the latest victim. According to a filing by Maximus with the Securities and Exchange Commission, the attack has potentially compromised the data of up to 11 million individuals. It has been reported that the hackers did not progress further than the MOVEit file transfer platform, and upon detection of the breach, the company immediately isolated it from the rest of the corporate network.
Reports suggest that personal information, such as social security numbers, protected health information, and other personal details of at least 8 to 11 million individuals, may have been affected. The Cl0p ransomware gang, which has claimed responsibility for numerous mass-hacks impacting organizations worldwide, recently added Maximus to its dark web data leak site. Along with Maximus, seventy other new victims, including Deloitte and Flutter, were added to the site. The cybercriminals behind the attack claim to have stolen 169 gigabytes of data from Maximus, but they have not yet released the data online.
The incident highlights the pervasive vulnerabilities in the software supply chain. Ray Kelly, a fellow at Synopsys Software Integrity Group, emphasizes the importance of securing the software supply chain to protect data privacy. He states that a single vulnerability in a third-party vendor’s software can lead to the compromise of personally identifiable information in every organization that the vendor services. Kelly advises organizations to ensure their third-party vendors undergo regular security assessments and comply with policy standards such as GDPR and SOX to mitigate future ransomware attacks via the software supply chain.
Stephan Chenette, the Co-Founder and CTO at AttackIQ, commented on the Cl0p ransomware group’s exploitation of the MOVEit vulnerability across various industries. He emphasized the critical need for organizations to adopt a threat-informed cyber-defense strategy to defend against ransomware attacks effectively. Organizations should focus on naming the ransomware threats and tactics used by adversaries, align their defenses against those threats, and continuously evaluate program performance.
In a separate incident, cyber-extortionists have published explicit photos and private details of approximately eighty patients of well-known plastic surgeon Gary Motykie. The attackers’ goal is clear—to extort money from the victims. They offer victims the option to pay $2,500 to guarantee that their data will not be made public. One victim expressed shock and horror upon discovering that her private information had been exposed without her knowledge. The breach is believed to have impacted over three thousand patients, according to a filing submitted by Motykie’s legal team.
The extortion attempt stands out from typical cases, as the website created by the attackers appears to have been carefully designed to outrage victims. Patients affected by the breach claim that they were not notified by Motykie’s office but learned of the breach only after the pictures were spotted online. This lack of communication from the organization has drawn criticism, with cybersecurity experts suggesting that organizations should take responsibility for informing individuals whose data has been compromised, rather than leaving it up to the hackers.
Motykie’s social media and public relations manager, Ethan Reynolds, stated that the practice has made efforts to reach out to affected patients. However, due to the high volume of patients, it is not feasible to personally connect with every individual who has been part of the practice. This response further emphasizes the need for effective communication and timely notifications in the event of a data breach.
These incidents serve as stark reminders of the importance of cybersecurity and safeguarding sensitive data. Organizations must prioritize securing their software supply chains and regularly assessing the security controls of third-party vendors. Additionally, transparent communication and notification procedures are crucial in maintaining trust and mitigating the potential harm caused by data breaches.