Maximus Data Breach Exposes Personal Information of Millions

IT Services provider, Maximus, a contractor responsible for managing and administering various US government-sponsored programs, including federal and local healthcare programs and student loan servicing, has recently disclosed a data breach. Hackers were able to steal the personal data of 8 to 11 million individuals during the MOVEit Transfer data-theft attacks.

With a workforce of 34,300 employees and an annual revenue of approximately $4.25 billion, Maximus operates in the United States, Canada, Australia, and the United Kingdom.

In an 8-K form filed with the Securities and Exchange Commission (SEC), Maximus revealed that the data breach occurred due to a zero-day flaw found in the MOVEit file transfer application (CVE-2023-34362). This flaw was widely exploited by the Clop ransomware gang, leading to breaches in numerous high-profile companies globally.

After conducting a thorough investigation, Maximus confirmed that the hackers were unable to progress beyond the MOVEit environment, which was promptly isolated from the rest of the corporate network.

However, despite the limited access, a significant number of individuals were compromised, and Maximus is currently sending out data breach notifications to affected parties.

According to the SEC 8-K filing, Maximus believes that the impacted files contain personal information, such as social security numbers, protected health information, and other personal details, belonging to at least 8 to 11 million individuals who will receive notification about the incident.

The company plans to allocate approximately $15 million as an expense for the investigation and remediation activities associated with the incident, covering the quarter ended June 30, 2023.

Were the MoveIT Attacks and the Maximus Data Breach Related?

The recent news regarding the government contractor serco unveils data breach raises questions about whether there is any correlation between the MoveIT attacks and the Maximus data breach. Further investigation is crucial to determine if these incidents are connected.

What Were the Consequences of Callaway’s Data Breach in Comparison to Maximus’?

The callaway data breach: over 11 million users affected resulted in severe consequences, causing significant damage to the company’s reputation and financial standing. Personal information of millions of users was compromised, leading to potential identity theft and fraud. The aftermath included lawsuits, regulatory investigations, and hefty fines, highlighting the importance of robust cybersecurity measures. In contrast, the consequences of Maximus’ data breach, if any, remain undisclosed.

Clop Ransomware Gang Identified as Perpetrators

The Clop ransomware gang, responsible for the breach, has added Maximus to their dark web data leak site. The site now includes a list of 70 new victims, all of whom fell victim to the MOVEit zero-day flaw.

According to the information provided on Clop’s site, they have managed to steal 169GB of data from Maximus’ MOVEit Transfer server. However, as of now, no data has been leaked, and the extortion process is still ongoing.

As the list of victims affected by the MOVEit zero-day flaw continues to grow, and the magnitude of the attacks becomes more apparent, the Clop ransomware gang has intensified their extortion tactics. They have recently launched clearweb sites to publicly release stolen data from specific companies, increasing the pressure on victims by making the data more accessible to a wider audience.

H/T – Brett Callow