Cyber Incident Victim: IBM Consulting

On or around May 31, 2023, a significant data security incident occurred involving IBM Consulting, a vendor providing services to the Missouri Department of Social Services (DSS). The incident did not directly impact any internal DSS systems but instead involved a critical vulnerability within Progress Software’s MOVEit Transfer application, a third-party software program utilized by IBM. This specific vulnerability has been implicated in cyber-attacks affecting numerous organizations across the United States and globally. The incident resulted in unauthorized access to files containing data belonging to DSS, specifically information pertaining to Medicaid participants.

IBM Consulting formally notified the Missouri DSS of the security incident on June 2, 2023. In its initial notification, IBM informed DSS that it had already applied all recommended software fixes provided by Progress Software to address the MOVEit vulnerability. Furthermore, IBM had ceased using the MOVEit Transfer application entirely while it commenced an investigation to determine the scope of the incident and whether any DSS data had been accessed or exfiltrated by an unauthorized party. Upon receiving this notification, the Missouri DSS immediately launched its own investigation and began coordinating with relevant entities to ensure the continued security of its systems and the information it manages. Throughout this process, no DSS-owned or operated systems were found to have been compromised or impacted by this external event, though monitoring of these systems remained ongoing.

On June 13, 2023, IBM provided a subsequent update to DSS, advising the state agency that it should presume certain files saved within the MOVEit application had been accessed by an unauthorized user. Based on the types of files believed to have been compromised, DSS determined that these files likely contained protected health information of Missouri Medicaid participants. The potentially accessed data elements included an individual’s full name, department client number (DCN), date of birth, benefit eligibility status or coverage information, and medical claims data. DSS was able to obtain a copy of the specific files IBM identified as having been potentially accessed during the incident.

The analysis of these files proved to be a complex and time-consuming process for the department. The files were described as being very large, not formatted in plain English, and not easily readable due to their structure. This complicated formatting significantly slowed the effort to definitively ascertain the full scope of the compromised information and to identify every individual potentially affected. Despite the analytical challenges, DSS decided to proceed with notifying individuals based on the initial understanding of the files' contents while the detailed review continued.

In response to the incident, the Missouri Department of Social Services took several actions to manage the situation and assist affected individuals. A primary focus was on public notification and consumer protection. DSS drafted and began sending individual notification letters to those people whose information was potentially impacted. These letters detailed the nature of the security incident, explained the actions DSS was undertaking in response, and provided guidance on steps recipients could take to protect their personal information. The department committed to issuing additional notices should the ongoing file analysis reveal that different or additional information or individuals were involved.

To support potentially impacted Missourians, DSS partnered with IDX, a ZeroFox Company, to establish a dedicated call center and an incident response website. The call center, reachable at (888) 220-4761, operates from 8 a.m. to 8 p.m. Central Standard Time, Monday through Friday, excluding major U.S. holidays. The dedicated website, https://response.idx.us/missouri, was created to answer common questions and provide updates as the investigation progressed. The department emphasized that there had been no indication to date that any of the compromised DSS data had been misused. However, they strongly encouraged vigilance and recommended that individuals take proactive steps to monitor their financial and personal accounts.

The recommended protective actions included placing a freeze on credit reports with the three major credit reporting agencies: Experian, Equifax, and TransUnion. A credit freeze prevents new accounts from being opened in an individual’s name without their explicit permission while allowing continued use of existing credit cards and bank accounts. DSS also advised Missourians to regularly review their credit reports, which can be obtained for free from each of the major reporting services. The incident underscores the risks associated with third-party vendor relationships and the storage of sensitive data on external systems. The Missouri DSS continues to investigate the incident and has stated it will take all appropriate actions to protect the information of Missourians that was entrusted to its care.