Maximus, a company that handles services like Medicaid, Medicare, and labor market integration for welfare recipients, revealed that personal data of "at least 8 to 11 million people" had been leaked. This leakage was due to a zero-day vulnerability in the software they used to manage information about participants in various government programs.
Maximus announced in a mandatory listing to the U.S. Securities and Exchange Commission (SEC) that the personal information of a "significant number" of those affected had been leaked due to a zero-day vulnerability in the relevant software. It uses MOVEit to manage data about people "who participate in various government programs."
"Based on the review of impacted files to date, the Company believes those files contain personal information, including social security numbers, protected health information and/or other personal information, of at least 8 to 11 million individuals to whom the Company anticipates providing notice of the incident." - the SEC statement reads.
"The Company has been notifying its customers as well as federal and state regulators, and it will provide appropriate notifications to individuals affected by this incident. In addition, individuals receiving notice will be offered free credit monitoring and identity restoration services." - the statement further reads.
The company has taken immediate action by engaging external experts and has started addressing the reported vulnerabilities. They've also informed direct customers and federal and state supervisory authorities.
The incident has cost Maximus around $15 million so far. If worst fears are confirmed, this could be the biggest leak of health data this year.
Clop cybercriminals, linked to Russia, have claimed to have tapped 169 gigabytes of data from Maximus and threatened to publish it. In total, the vulnerabilities have affected more than 500 organizations and the personal data of over 34.5 million people globally.
Other notable victims include companies such as AOK Niedersachsen, Barmer, BBC, British Airways, Ernst & Young, PricewaterhouseCoopers, Schneider Electric, Shell, and Siemens Energy.
Recently, ING, Comdirect, as well as Deutsche Bank, and Postbank were also on the list of the Clop victims. The exploitation of the vulnerability grants access to sensitive customer data at the beginning of July.
This latest incident underscores the urgent need for companies to review and strengthen their cybersecurity measures. The extent of this leak, coupled with the vast number of people affected, is a stark reminder that even large corporations are not immune to cyber threats.
Citizens participating in government programs and customers of Maximus should remain vigilant and monitor their personal information for potential misuse.
For service providers, this incident is a lesson in the importance of regularly updating security protocols and working closely with cybersecurity experts to protect sensitive information.
In an era where cyber threats are increasingly becoming sophisticated and pervasive, the need for robust cybersecurity measures has never been more paramount.