U.S. Government Contractor Maximus Entangled in MOVEit Data Breach
Attack Impacts Millions
Overt Operator
July 28, 2023
In the ever-expanding saga of the MOVEit data breach, U.S. government contractor Maximus Inc. is the latest victim. The breach, executed by the Cl0p ransomware gang, did not impact the company's internal systems but potentially compromised the personal information of 8 to 11 million individuals.
Maximus, offering tech services for government programs such as student loan services, and Medicaid and Medicare, operates in multiple countries including Australia, Canada, the UK, and the US. With annual revenue exceeding $4.25 billion, the company employs over 39,000 people as stated on its website.
The company disclosed in its 8-K form, filed with the Securities and Exchange Commission (SEC) on July 26, that it had fallen prey to the GoAnywhere MOVEit attack. The cyber attackers reportedly accessed files containing "personal information, including Social Security numbers, protected health information, and/or other personal information, of at least 8-to-11 million individuals," as outlined in Maximus' 8-K.
The repercussions of the MOVEit breach, which began on May 27 through a zero-day SQL injection vulnerability in GoAnywhere's MOVEit file transfer software, continue to unfold. The NCC Group reported a 211% surge in ransomware attacks in the month following GoAnywhere's incident disclosure, with Cl0p accounting for 21% of the total.
Antivirus company Emsisoft has identified 514 organizations and nearly 36.1 million individuals affected by the MOVEit breach, with a majority (72.7%) based in the US and 10.5% in the public sector.
The actual impact could be even more significant considering Maximus, a service provider to numerous organizations and managing sensitive records of millions, is a victim.
"Some of the organizations impacted provide services to multiple other organizations, and so the numbers are likely to increase significantly as those organizations start to file notifications," Emsisoft stated in its incident scope assessment.
Kurt Osburn, director of risk management and governance at the NCC Group, stressed the need for continuous vigilance, noting, "They need to make sure that they're constantly updating and tracking their intrusion detection systems," and also emphasized the necessity of frequent penetration testing, vulnerability scanning, and encryption.