Millions of People Affected in MOVEit Attack on US Gov't Vendor

The MOVEit breach has claimed yet another target: Maximus Inc., a US government contractor. Though the company's internal systems were unaffected, 8 to 11 million people's personal information may have been compromised.

Maximus provides technology services for administering and managing government programs like student loan servicing, and Medicaid and Medicare. It operates in Australia, Canada, the UK, and the US employing more than 39,000 people with an annual revenue exceeding $4.25 billion, according to its website.

In its 8-K form for investors, filed with the Securities and Exchange Commission (SEC) on July 26, the company revealed that it had been a victim of the GoAnywhere MOVEit attack, carried out by the Cl0p ransomware gang. The attackers appear to have accessed files which "contain personal information, including Social Security numbers, protected health information, and/or other personal information, of at least 8-to-11 million individuals," the company noted in its 8-K.

In a statement provided to Dark Reading, Maximus emphasized that "we have not identified any impact from the MOVEit vulnerability on other parts of our corporate network and remain confident in the integrity of the network."

Meanwhile the company estimated in its 8-K that its breach-related expenses in the second quarter came to around $15 million.

How Maximus' Partners are Impacted

Nearly two months on, new victims of the MOVEit breach are still revealing themselves. It was May 27 when hackers began exfiltrating data via a zero-day SQL injection vulnerability in GoAnywhere's MOVEit file transfer software.

In the month following GoAnywhere's disclosure of the incident, NCC Group tracked a 211% rise in ransomware attacks, 21% of the total owing to Cl0p. More recently, the antivirus company Emsisoft has tracked 514 organizations, and almost 36.1 million individuals, known to be affected by the MOVEit breach. The overwhelming majority — 72.7% — are based in the US, and 10.5% occupy the public sector.

Even the act of measuring such a wide blast radius is fraught, though, as Maximus — a vendor for government organizations in four countries, managing millions of individuals' sensitive records — demonstrates.

"Some of the organizations impacted provide services to multiple other organizations, and so the numbers are likely to increase significantly as those organizations start to file notifications," Emsisoft noted in its assessment of the scope of the incident.

So it's not just MOVEit's own customers at risk — customers of MOVEit's customers will also have to watch their backs.

"They need to make sure that they're constantly updating and tracking their intrusion detection systems," says Kurt Osburn, director of risk management and governance at NCC Group. "They need to make sure that they're doing penetration testing and vulnerability scanning, constantly, to make sure nobody's accessing records. And they need to make sure that any transactions they do with individuals or with other companies are encrypted."

How MOVEit Affects Regular People

Beyond businesses, there are millions of individuals in the firing line. Maximus occupies a privileged place in the government supply chain, and manages millions of peoples' economic, health, and other sensitive records, making it a particularly attractive target for Dark Web personal data merchants, and particularly dangerous for the folks who may not even realize they're caught up in such a mess.

"Medical records are worth probably upwards of $1,000 [each] on the Dark Web," Osborn emphasizes, "because you can get Social Security numbers, addresses, phone numbers, dates of birth. And so you can buy houses, set up credit cards, file fake tax returns — it's all fair game if you've got protected medical healthcare information that has everything important about an individual."

He adds, "It's going to continue to be a problem because of the value of the records — what hackers can do with them," noting that a compromise like this can drag on for years.

"I've personally been breached more times than I can count, but nothing ever happens. Nothing changes," he says.