Another 8–11 million individuals are believed to have had their personal information compromised by the Clop ransomware gang after a US firm revealed it had been caught in the MOVEit campaign.
Virginia-headquartered Maximus provides services for Medicaid, Medicare and other US government schemes, although it also has operations in the UK, Middle East and Asia.
It revealed in an SEC filing this week that a “significant number” of its commercial and government customers worldwide were affected by the MOVEit data theft campaign.
Read more on the MOVEit campaign: Clop Could Make $100m from MOVEit Campaign
Although its own IT environment has not been compromised, a large number of files in the MOVEit environment were.
“Based on the review of impacted files to date, the company believes those files contain personal information, including social security numbers, protected health information and/or other personal information, of at least eight to 11 million individuals to whom the company anticipates providing notice of the incident,” the filing continued.
“The company has been notifying its customers as well as federal and state regulators, and it will provide appropriate notifications to individuals affected by this incident. In addition, individuals receiving notice will be offered free credit monitoring and identity restoration services.”
Maximus has set aside $15m for “investigation and remediation” related to the breach, it said.
The data extortion campaign is the work of notorious ransomware group Clop, which compromised popular managed file transfer software MOVEit via a zero-day SQL injection flaw.
Countless companies and their customers/employees have been impacted, many of them because a supplier like Maximus was using the software. In a similar way, payroll provider Zellis was caught out, which in turn impacted big-name customers such as the BBC, British Airways and pharmacy chain Boots.
Elliott Wilkes, CTO at Advanced Cyber Defence Systems, argued that the campaign highlights the importance of conducting rigorous checks for hidden bugs.
“What’s interesting is that the company behind the MOVEit software appears to have all of its compliance-driven security checks and protocols in place, things like PCI DSS and HIPAA. It is clear that these compliance frameworks are simply the starting point for security posture,” he added.
“Organizations that manage large swathes of customer data and sensitive personal information must perform regular and continuous audits of their systems, checking their configurations and versions for vulnerabilities.”