Maximus Inc., a US government services provider, has become the latest victim of the Clop ransomware gang’s attack on Progress Software Corp.’s MOVEit file transfer software. This attack has resulted in the theft of information belonging to an estimated 11 million people.
Maximus specializes in providing services for the US healthcare industry, specifically Medicaid, Medicare, health care reform, welfare-to-work, and student loan servicing. The company declared the incident to the U.S. Securities and Exchange Commission after discovering that it had been impacted by the initial MOVEit vulnerability attack, which has affected organizations worldwide. The full extent of the attack is still unclear, as Maximus also provides services to countries outside the US, such as Australia, Canada, and the UK.
With the Clop ransomware group being identified as responsible for the attack, Maximus joins the growing list of high-profile companies that have fallen victim, including the US Department of Energy, Shell, the BBC, British Airways, and the University of Georgia.
In response to this attack, industry experts have expressed their thoughts on the situation. Elliott Wilkes, chief technology officer at Advanced Cyber Defence Systems, emphasizes the importance of closely monitoring and continuously evaluating the security of suppliers and supply chains. While patches for the two zero-day vulnerabilities in the MOVEit software have been released, many large organizations struggle to quickly patch their systems, leaving them susceptible to further breaches. Wilkes believes that compliance-driven security checks and protocols, such as PCI-DSS and HIPAA, provide only a starting point for security posture. Regular and continuous audits of systems, rigorous security testing, and bug bounty programs involving ethical hackers can help identify and rectify vulnerabilities.
Erfan Shadabi, a cybersecurity expert at comforte AG, highlights the particular damage that a breach in the healthcare sector can cause, given the sensitive nature of the data involved. This breach exposes personal and medical information, leading to identity theft, medical fraud, and financial losses. Shadabi argues that organizations, especially in the healthcare sector, should prioritize data-centric security measures. These measures include encrypting data, implementing strict access controls, and continuously monitoring systems to safeguard personal and healthcare data effectively.
Ray Kelly, a fellow at the Synopsys Software Integrity Group, stresses the importance of securing the software supply chain to protect data privacy. He advises organizations to ensure that third-party vendors undergo regular security assessments and meet compliance policy standards, such as GDPR and SOX. However, Kelly acknowledges that these practices alone cannot guarantee protection against future ransomware attacks via the software supply chain.
The MOVEit attack on Maximus Inc. serves as yet another reminder of the ever-evolving nature of cyber threats and the need for organizations to remain vigilant in their security efforts. With data breaches becoming increasingly common and damaging, it is crucial for companies to prioritize the security of their systems and the protection of sensitive information. This includes regularly updating and patching software, implementing robust security measures, and continuously evaluating and improving security frameworks. By taking these proactive steps, organizations can mitigate the risk of falling victim to cyber-attacks and safeguard the data and trust of their customers.