Nearly every resident of the state of Maine has had their personal data, including social security numbers and medical records, stolen by a foreign criminal organization, the state revealed last month.
“The State of Maine has determined that this incident has impacted approximately 1.3 million individuals, with the type of data affected differing from person to person,” the state said in a Nov. 9 press release.
The press release was not attributed to a particular state agency or spokesman.
Despite the breach happening between May 28 and 29, the state waited more than four months before informing residents that their personal information had been compromised.
On the government website dedicated to the breach, the state claims that it delayed the disclosure because the breach was still being investigated by an unspecified cybersecurity company.
This breach affected multiple other governments and organizations throughout the United States and abroad.
The United Kingdom was affected by the same breach, but that government announced the breach to their citizens on June 7, less than two weeks after the breach occurred.
A cybersecurity firm, Emsisoft, reported in July that over 70 million people worldwide were affected by the breach.
This report came months before Maine revealed the number of its residents effected.
Maine’s investigation revealed that 1.3 million of the state’s 1.4 Million residents had their data exposed.
According to the Cybersecurity and Infrastructure Security Agency (CISA), the hack was carried out by the Russian ransomware gang CL0P.
The breach may have allowed the ransomers to steal social security numbers, license numbers, medical records, and other personal information.
According to the State’s report, over 50 percent of the Department of Health and Human Services’ (DHHS) data was compromised, along with up to 30 percent of the Department of Education’s (DOE) data.
The percentage of other departments data effected was either unknown, or less than one percent.
The data breach was made possible through a vulnerability in MOVEit, a file transfer tool.
Progress Software, the company that owns the MOVEit software claims that the software “Provide[s] a secure environment for your most sensitive files.”
In response to the breach, Maine disconnected access to the MOVEit servers, and implemented security measures recommended by Progress Software.
The state did not specify what these measures entailed, whether they would protect Mainer’s data from being exploited, or merely prevent further data from being stolen.
The state provided links for both adults and minors to enroll in credit monitoring, suggesting that the personal data of minors was included in the breach of the DOE.
Maine is giving two years of complementary data monitoring to anyone who had their social security number or taxpayer identification number stolen.
The state urged Mainers to contact them via phone at (877) 618-3659, in order to see if their data had been effected, and, if so, claim their free online data-monitoring.
The Maine Wire contacted the DHHS and the DOE, the two departments most effected by the hack, requesting interviews for more information on the breach.
Neither department responded to the request, but the Maine Wire was contacted by Director of Communications Sharon Huntley from Maine’s Department of Administrative and Financial Services.
Huntley was forwarded The Maine Wire’s request for an interview.
“I can’t provide you with an interview but I’m happy to try to answer specific questions you might have,” said Huntley.
Despite Huntley’s statement, she declined to respond when the Maine Wire sent her a list of specific questions.
These questions included a query about the number of minors whose data was compromised by the breach.
In the fall 2023 issue of The Spotlight, the newsletter published by Maine’s DHHS, the department provided a small update on the breach. The updated information can also be found in the state’s press release, as well as on the website dedicated to the breach.
Since the state’s initial press release, the hackers have issued their own statement.
“Since the onset of the incident, the cybercriminals involved claimed their primary targets were businesses, with a promise to erase data from certain entities, including governments,” Maine’s DHHS said.
“Despite their assertions that any data obtained from governments has been erased, the State is urging individuals to take steps to protect their personal information,” said the DHHS.