The State of Maine is the latest entity to disclose significant impact from the cyberattack targeting a zero-day in Progress Software’s MOVEit file transfer tool earlier this year.
By exploiting the vulnerability, described as a critical unauthenticated SQL injection issue, a notorious ransomware gang accessed data transferred through the MOVEit software.
Of the affected individuals, 1.3 million are Maine residents, the State of Maine announced on Thursday, saying it has completed its investigation into the compromised data.
The attackers accessed personal information such as names, dates of birth, Social Security numbers, driver’s license/state identification numbers, and taxpayer identification numbers, and, in some cases, medical information and health insurance information, the State of Maine says.
“The State of Maine may hold information about individuals for various reasons, such as residency, employment, or interaction with a state agency. The State also engages in data sharing agreements with other organizations to enhance the services it provides to its residents and the public,” Maine notes.
In an online notification, the state reveals that, between May 28 and May 29, the attackers accessed and downloaded “files belonging to certain agencies in the State of Maine” through Maine’s MOVEit server, with no other systems being compromised.
The Maine Department of Health and Human Services was impacted the most, as more than 50% of the stolen files belonged to it, with the Maine Department of Education being second most affected (owning 10-30% of the files).
“As soon as the State became aware of the incident, the State took steps to secure its information, including by blocking internet access to and from the MOVEit server,” the State of Maine says.
Maine has started notifying the impacted individuals and is providing them with complimentary credit monitoring and identity theft protection services.