US Government Contractor Maximus Suffers Massive Data Breach Affecting Millions

July 27, 2023

Maximus, a US government services contractor, has revealed a significant data breach, indicating that personal data of 8 to 11 million people was stolen during the recent MOVEit Transfer data-theft attacks. Maximus is a prominent contractor that oversees and administers various US government-sponsored programs, including federal and local healthcare programs and student loan servicing. The company, which employs over 34,000 people and generates an annual revenue of approximately $4.25 billion, operates in the U.S., Canada, Australia, and the UK.

In an 8-K form submitted to the SEC, Maximus disclosed that the data theft was facilitated by a zero-day vulnerability in the MOVEit file transfer application (CVE-2023-34362). This flaw was extensively exploited by the Clop ransomware gang, leading to breaches in hundreds of high-profile companies globally. Following an investigation into the breach, Maximus stated there was no evidence that the hackers had penetrated beyond the MOVEit environment, which was promptly isolated from the rest of the corporate network. Nevertheless, the limited access granted the hackers enough reach to compromise the data of millions of individuals, prompting the company to send out data breach notifications.

In the SEC 8-K filing, the company stated, 'Based on the review of impacted files to date, [Maximus] believes those files contain personal information, including social security numbers, protected health information and/or other personal information, of at least 8 to 11 million individuals to whom the company anticipates providing notice of the incident.' Maximus also noted that it plans to record an expense of approximately $15 million for the quarter ending June 30, 2023, representing the company's best estimate of the total investigation and remediation costs related to the incident.

The Clop ransomware gang added Maximus to its dark web data leak site, along with 70 other new victims, all breached using the MOVEit zero-day flaw. The gang claims to have stolen 169GB of data during the breach on Maximus' MOVEit Transfer server. However, no data has been leaked as of yet, indicating that the extortion process is still ongoing. As the list of victims of the MOVEit zero-day flaw expands, the Clop ransomware gang has resorted to more aggressive extortion tactics, including launching clearweb sites to leak the stolen data of specific companies, thereby applying additional pressure on the victims by making the data more readily available to a wider audience.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.