Vulnerability Management, Privacy, Data Security

MOVEit bug tied to breach of up to 11M records via government contractor

A man's hand transferring files in virtual screen for Send of document on internet.

The number of organizations hit by the MOVEit file transfer application bug now includes government contractor Maximus. Impacted in the attack are up to 11 million Maximus customers.

In a July 26 filing with the Securities and Exchange Commission, the company said it anticipates to inform at least 8 million to 11 million individuals that their personal information may have been compromised. Maximus provides health and human services programs to state and local governments.

Progress Software, makers of the MOVEit software, disclosed there was a critical zero-day vulnerability in the application that allowed unauthorized third parties to access its customers’ MOVEit environments on May 31.

According to a June 5 blog post, Progress Software provided steps to mitigate the vulnerability within 48 hours of discovery, where it disabled web access to MOVEit Cloud to protect its cloud customers, developed a security patch, and re-enabled MOVEit Cloud. The company also implemented a series of third-party validations to ensure the patch corrected the exploit.

A growing number of organizations around the world have confirmed since that disclosure to say they, too, have fallen victim to the vulnerability that appears to have been exploited by the Cl0p ransomware group

Instead of deploying ransomware, however, cybersecurity researchers say Cl0p has changed tactics to steal the data of millions of people worldwide and then demand payment to not release the data. 

"It's sort of a new business model for them," Huntress senior researcher John Hammond told SC Media in June. Huntress researchers helped find the zero-day exploit Cl0p used to trick MOVEit's database to execute the gang's commands.

The MOVEit hack was already on track to become the most widespread file transfer hack even before the SEC disclosure by Maximus, which claimed in the filing that it believes that the incident did not move beyond the MOVEit environment and did not disrupt its business operations.

Maximus uses the application for internal and external file-sharing purposes, including “to share data with government customers pertaining to individuals who participate in various government programs.” The company said it has already begun to notify customers, as well as federal and state regulators.

The company also disclosed that it plans to spend about $15 million for the quarter ended June 30 on the total investigation and remediation activities related to the cybersecurity incident.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

You can skip this ad in 5 seconds