Hackers Stole Over 8 Million Users Data From U.S. Government Services Contractor

Using a vulnerability in MOVEit Transfer, hackers gained access to 8 to 11 million individuals’ ‘Users Data’ protected health information.

Maximus, a US government contracting business based in San Francisco, has acknowledged a data breach.

Maximus works with federal, state, and local governments to manage and administer government-sponsored programs including Medicaid, Medicare, healthcare reform, and welfare-to-work programs.

The company employs 34,300 people and generates around $4.25 billion in yearly revenue, including operations in the United States, Canada, Australia, and the United Kingdom.

MOVEit is used by the business for internal and external file sharing, including exchanging data with government clients about individuals who engage in different government programs.

Maximus stated in an 8-K form filed with the Securities and Exchange Commission (SEC) that the data was taken using a zero-day bug in the MOVEit file transfer application tracked as (CVE-2023-34362).

The Clop ransomware group used this issue to attack hundreds of high-profile businesses worldwide.

The Company suspects that an unauthorized third party used this MOVEit vulnerability to gain access to a large number of personal data of individuals.

The Impact of the Breach

At this point, the Company believes the impacted files contain personal information, such as social security numbers, protected health information, and/or other personal information, of at least 8 to 11 million people to whom the Company intends to provide notice of the incident.

“At present, there is no indication that the incident has had any impact on the internal information technology systems of the Company or its customers beyond the MOVEit environment, and there has been no material interruption to the Company’s business operations due to the incident”, reads the SEC 8-K filing.

Additionally, Maximus presently intends to report an expenditure of approximately $15 million for the quarter ending June 30, 2023, which represents the Company’s best estimate of the overall investigation and remediation actions to be incurred in connection with the event.

“The Company’s review of impacted files is ongoing, and the Company is unable to predict the total number of impacted individuals who will receive notice of the incident until that review is completed, which we expect will not be for several more weeks”, the company said.

Maximus Added To The Clop Ransomware Group’s Dark Web Data Leak Site 

Clop, the Russia-linked data extortion group behind the MOVEit major attacks, identified many more victims of its mass hacks last month, in addition to federal government organizations.

Maximus was one of a large batch of 70 new victims that the Clop ransomware group posted to its dark web data leak site yesterday. All of these users were compromised by utilizing the MOVEit zero-day vulnerability.

Clop pointed out as victims the US-based financial services companies 1st Source and First National Bankers Bank, the Boston-based investment management business Putnam Investments, the Netherlands-based Landal Greenparks, and the UK-based energy giant Shell.

To decrypt or destroy their stolen files, Clop contacts its victims and demands a ransom payment.

With the aid of independent legal, forensic, and data analytics specialists, Maximus started an investigation into the issue right away and has already taken corrective action to address the discovered weaknesses.

The forensic aspects of the inquiry have been finished by the Company’s forensic specialist, who has also identified the data affected by the cybersecurity incident.

Keep yourself informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.