Nearly all people in US state of Maine affected by Moveit hack

13 Nov 2023

Downtown Portland, Maine. Image: © Wangkun Jia/Stock.adobe.com

A statement issued by the government of Maine in the US notified 1.3m residents that their personal data may have been stolen in a cyberattack in May.

Nearly the entire population of the US state of Maine has fallen victim to the latest Moveit hack after the personal information of 1.3m was stolen by criminals.

First reported in June, the global Moveit breach, in which hackers exploit a zero-day vulnerability in the file transfer software, has affected companies and government agencies on both sides of the Atlantic, including banks, universities, insurance and healthcare providers.

One of the first incidents announced affected 45,000 students in the New York City Department of Education system. The agency revealed that students’ personal information, such as social security numbers and birth dates, was stolen.

In July, the hack hit closer to home, after Dublin Airport became the latest victim of the cyberattack. Pay and benefits information of some Dublin Airport employees was compromised in a third-party cyberattack affecting Aon, airport management company DAA confirmed to SiliconRepublic.com at the time.

Microsoft attributed the hack exploiting the Moveit zero-day vulnerability to Lace Tempest, a reportedly Russian-speaking cybercrime group known for similar ransomware operations and running the Clop extortion site, which was also responsible for the GoAnywhere MFT attack in March.

Now, 1.3m residents of Maine in north-eastern US have been notified by the state government that they have been impacted by a cyberattack after a “software vulnerability” was exploited by a group of hackers who accessed and downloaded files belonging to agencies in the state.

A statement issued by the government read that the incident happened between 28 and 29 May 2023.

“The state of Maine has determined that this incident has impacted approximately 1.3m individuals, with the type of data affected differing from person to person,” it read.

“The state encourages individuals to reach out to its dedicated call centre to verify if they were affected and, if so, to identify what specific data of theirs was involved.”

Types of data stolen as part of the Moveit hack include name, social security number, date of birth, driver’s licence number and taxpayer ID. For some, the government said medical and health insurance information may also have been breached.

“As soon as the state became aware of the incident, the state took steps to secure its information, including by blocking internet access to and from the Moveit server,” the statement went on.

“[We] also implemented security measures recommended by Progress Software, engaged the services of outside legal counsel, engaged external cybersecurity experts to investigate the nature and scope of the incident, and conducted an extensive investigation to determine what information was involved.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Vish Gain was a journalist with Silicon Republic

editorial@siliconrepublic.com