US Government Contractor Maximus Suffers Massive Data Breach Affecting Millions

July 27, 2023

Maximus, a US government services contractor, has revealed a significant data breach, indicating that personal data of 8 to 11 million people was stolen during the recent MOVEit Transfer data-theft attacks. Maximus is a prominent contractor that oversees and administers various US government-sponsored programs, including federal and local healthcare programs and student loan servicing. The company, which employs over 34,000 people and generates an annual revenue of approximately $4.25 billion, operates in the U.S., Canada, Australia, and the UK.

In an 8-K form submitted to the SEC, Maximus disclosed that the data theft was facilitated by a zero-day vulnerability in the MOVEit file transfer application (CVE-2023-34362). This flaw was extensively exploited by the Clop ransomware gang, leading to breaches in hundreds of high-profile companies globally. Following an investigation into the breach, Maximus stated there was no evidence that the hackers had penetrated beyond the MOVEit environment, which was promptly isolated from the rest of the corporate network. Nevertheless, the limited access granted the hackers enough reach to compromise the data of millions of individuals, prompting the company to send out data breach notifications.

In the SEC 8-K filing, the company stated, 'Based on the review of impacted files to date, [Maximus] believes those files contain personal information, including social security numbers, protected health information and/or other personal information, of at least 8 to 11 million individuals to whom the company anticipates providing notice of the incident.' Maximus also noted that it plans to record an expense of approximately $15 million for the quarter ending June 30, 2023, representing the company's best estimate of the total investigation and remediation costs related to the incident.

The Clop ransomware gang added Maximus to its dark web data leak site, along with 70 other new victims, all breached using the MOVEit zero-day flaw. The gang claims to have stolen 169GB of data during the breach on Maximus' MOVEit Transfer server. However, no data has been leaked as of yet, indicating that the extortion process is still ongoing. As the list of victims of the MOVEit zero-day flaw expands, the Clop ransomware gang has resorted to more aggressive extortion tactics, including launching clearweb sites to leak the stolen data of specific companies, thereby applying additional pressure on the victims by making the data more readily available to a wider audience.

Related News

• Schneider Electric and Siemens Energy Fall Prey to Clop Ransomware Attack
• Massive Data Breach at NYC Department of Education: 45,000 Students' Data Stolen
• Gen Digital, Norton's Parent Company, Targeted in MOVEit Ransomware Attack
• US Government Offers $10 Million Bounty for Information on Clop Ransomware Gang
• Shell Falls Victim to Clop Ransomware Attack Exploiting MOVEit Zero-Day Vulnerability

Latest News

• Critical Vulnerabilities in Microsoft Message Queuing Allow for Remote Attacks
• Critical Vulnerability in WordPress WooCommerce Payments Plugin Exploited by Hackers
• Critical Vulnerability in ColdFusion Addressed as Adobe Releases Another Key Patch
• Critical Vulnerability Detected in Cisco SD-WAN vManage Software
• Zimbra Calls for Manual Patching of Actively Exploited Zero-Day Vulnerability