The US State of Maine’s data was accessed due to the MOVEit Transfer breach, exposing 1.3 million individuals.
Maine joins an ever-growing list of organizations impacted by the MOVEit Transfer hack, carried out by the Cl0p ransomware gang.
“The software vulnerability was exploited by a group of cybercriminals and allowed them to access and download files belonging to certain agencies in the State of Maine,” the government body said.
Since only the MOVEit server was accessed by the attackers, Maine’s internal systems were not impacted by the breach. However, the scale of the breach impacts almost all of the State’s residents.
In total, 1.3 million individuals were impacted by the breach. According to details submitted to Maine’s Attorney General, 534,194 of the affected individuals are state residents. The total population of Maine is a tad over 1.3 million.
According to the state government, various types of data were stored on the exposed server, including names, Social Security numbers (SSNs), dates of birth, driver’s license, state identification, and taxpayer identification numbers.
Some individuals may have had their medical information and health insurance data exposed as well.
“The State of Maine may hold information about individuals for various reasons, such as residency, employment, or interaction with a state agency. The State also engages in data sharing agreements with other organizations to enhance its services to its residents and the public,” the State explained.
Not all Maine’s departments, agencies, and divisions were impacted equally. For example, over half of the exposed data is estimated to come from the Maine Department of Health and Human Services, with another third from the Maine Department of Education.
The State said impacted individuals would be offered two years of complimentary credit monitoring and identity theft protection services. However, only individuals whose SSNs or taxpayer identification numbers were involved will be applicable.
Losing SSNs poses significant risks, as impersonators can use stolen data in tandem with names and driver’s license numbers for identity theft.
Earlier this year, the Cl0p ransomware cartel exploited a zero-day bug in the MOVEit Transfer software, which allowed attackers to access and download data stored there.
According to researchers at Emsisoft, over 2,500 organizations – mainly in the US – and over 69 million individuals have been impacted by MOVEit attacks by the Russia-linked ransomware cartel.
Taking IBM’s estimate, which puts the cost of an average data breach at $165 per leaked record, the impact of Cl0p attacks would add up to a staggering $11.4 billion.
More from Cybernews:
Subscribe to our newsletter