The recent MOVEit breach continues to have far-reaching consequences, with Maximus Inc., a US government contractor, being the latest victim. While the company’s internal systems remained untouched, the personal information of 8 to 11 million individuals may have been compromised.
Maximus is known for providing technology services for government programs such as student loan servicing, Medicaid, and Medicare. With operations in multiple countries and a workforce of over 39,000 employees, the company generates an annual revenue of more than $4.25 billion.
According to Maximus’ 8-K form filed with the Securities and Exchange Commission (SEC) on July 26, the company fell victim to the GoAnywhere MOVEit attack orchestrated by the Cl0p ransomware gang. The attackers managed to access files that contained sensitive information, including Social Security numbers, protected health information, and other personal details, potentially affecting millions of individuals.
Maximus made it clear that the incident had not impacted any other parts of its corporate network, and it expressed confidence in the integrity of its overall network. However, in its 8-K filing, the company estimated that it incurred breach-related expenses of approximately $15 million in the second quarter.
As time goes on, more victims of the MOVEit breach are emerging. The hackers began exfiltrating data on May 27 using a zero-day SQL injection vulnerability in GoAnywhere’s MOVEit file transfer software. In the month following GoAnywhere’s disclosure of the incident, there was a significant increase in ransomware attacks, with Cl0p responsible for 21% of the total.
The antivirus company Emsisoft has since tracked the impact of the MOVEit breach, discovering that 514 organizations and almost 36.1 million individuals have been affected. The majority of those impacted, 72.7%, are based in the US, and 10.5% belong to the public sector.
However, measuring the full extent of this breach is challenging. Many of the affected organizations provide services to other entities, indicating that the number of victims could significantly increase as more notifications are filed. Therefore, it is not only the customers of MOVEit who are at risk, but also the customers of MOVEit’s customers.
Kurt Osburn, the director of risk management and governance at NCC Group, warns that all organizations must be vigilant in protecting sensitive data. This includes maintaining up-to-date intrusion detection systems, conducting regular penetration testing and vulnerability scanning, and ensuring the encryption of transactions with individuals and other companies.
While the breach poses a significant risk to businesses, it also has severe implications for everyday individuals. Maximus, as a government supply chain vendor, manages the personal and sensitive records of millions of people. This makes it an attractive target for Dark Web data merchants. The compromised data, such as medical records, can be sold for a substantial amount on the Dark Web, exposing individuals to various fraudulent activities.
Osburn emphasizes the value of medical records on the Dark Web, highlighting that hackers can use the information to commit identity theft, open fraudulent credit card accounts, file false tax returns, and engage in other criminal activities. He states that this ongoing problem will persist due to the high value of such records and the potential consequences for individuals affected by the breach.
Ultimately, the MOVEit breach serves as a reminder of the ongoing threats faced by organizations and individuals in an increasingly interconnected world. The need for robust cybersecurity measures, continuous monitoring, and proactive risk management practices has never been more critical.