In a recent cyberattack, US government service contractor Maximus fell victim, revealing a data breach that has exposed personal details of an estimated 8 to 11 million individuals. The breach was made possible through the MOVEit Transfer data-theft attacks that have been plaguing various high-profile companies around the world.
An Overview of Maximus and Its Operations
Maximus is a known contractor that oversees US government-backed programs. It specializes in managing healthcare programs at both the federal and local level and handles student loan servicing. The company boasts a workforce of approximately 34,300 and generates annual revenue of roughly $4.25 billion. Its operations span across the U.S., Canada, Australia, and the UK.
The Nature of the Maximus Security Breach and the Disclosure
Maximus announced the data theft in an 8-K form submitted to the Securities and Exchange Commission (SEC). The theft utilized a zero-day vulnerability (CVE-2023-34362) in the MOVEit file transfer application. The notorious Clop ransomware group has exploited this flaw extensively to infiltrate hundreds of global companies.
In its probe into the breach, Maximus found no evidence to suggest that the hackers ventured beyond the MOVEit environment. This was swiftly segregated from the rest of the corporate network.
Extent of the Maximus Data Breach
Although the hackers’ access appeared limited, it was substantial enough to compromise the personal information of millions. The company is in the process of issuing data breach notifications to the affected individuals.
The SEC 8-K filing disclosed: “Based on the review of impacted files to date, [Maximus] believes those files contain personal information, including social security numbers, protected health information and/or other personal information, of at least 8 to 11 million individuals to whom the company anticipates providing notice of the incident.”
As a response to the incident, Maximus is planning to allocate approximately $15 million for the quarter ending June 30, 2023. This expense is to cover the cost of investigations and remediation activities linked to the incident.
The Role of the Clop Ransomware Gang in Maximus Security Breach
The Clop ransomware gang added Maximus to its dark web data leak site, listing it among 70 new victims, all of whom fell prey to the MOVEit zero-day flaw.
According to the entry on Clop’s site, they reportedly pilfered 169GB of data. It is during the attack on Maximus’ MOVEit Transfer server. However, no data leaks have got limelights so far, indicating that the extortion process is ongoing.
As the list of victims of the MOVEit zero-day flaw expands, the Clop ransomware gang is resorting to more hostile extortion strategies. They have begun launching clearweb sites to leak specific companies’ stolen data. This tactic enhances the pressure on victims as it makes the data readily accessible to a larger audience.