U.S. government services contractor Maximus has disclosed a data breach warning that hackers stole the personal data of 8 to 11 million people during the recent MOVEit Transfer data-theft attacks.
Maximus is a contractor that manages and administers US government-sponsored programs, including federal and local healthcare programs and student loan servicing. The company employs 34,300 people and has an annual revenue of about $4.25 billion, with a presence in the U.S., Canada, Australia, and the United Kingdom.
In an 8-K form filed with the Securities and Exchange Commission (SEC), Maximum disclosed that the data was stolen using a suffered a zero-day flaw in the MOVEit file transfer application (CVE-2023-34362). The Clop ransomware gang widely exploited this flaw to breach hundreds of high-profile companies worldwide.
After investigating the breach, Maximus found no indication that the hackers progressed further than the MOVEit environment, which was immediately isolated from the rest of the corporate network.
However, this limited access was enough to compromise a large number of individuals to whom the firm is now sending data breach notifications.
“Based on the review of impacted files to date, [Maximus] believes those files contain personal information, including social security numbers, protected health information and/or other personal information, of at least 8 to 11 million individuals to whom the company anticipates providing notice of the incident,” reads the SEC 8-K filing.
“Maximus currently plans to record an expense of approximately $15 million for the quarter ended June 30, 2023, representing the Company’s best estimate of the total investigation and remediation activities to be incurred related to the incident.”
The Clop ransomware gang added Maximus to its dark web data leak site yesterday as part of a big batch of 70 new victims, all having been breached using the MOVEit zero-day flaw.
The entry on Clop’s site claims they have stolen 169GB of data during the breach on Maximus’ MOVEit Transfer server. However, no data has been leaked so far, so the extortion process is still underway.
As the list of MOVEit zero-day flaw victims grows and the size of the attack somewhat normalizes the large-scale data breaches that have compromised the data of hundreds of millions, the Clop ransomware gang has resorted to more aggressive extortion tactics.
Recently, they launched clearweb sites to leak the stolen data of specific companies, which applies further leverage on the victims as it makes the data more accessible to a broader audience.