Cyber Incident Victim: Maximus

On or around May 29 and 30, 2023, the Clop ransomware group initiated a widespread data-grabbing attack by exploiting a zero-day vulnerability in Progress Software’s MOVEit managed file transfer software. The timing of the attack appeared to be coordinated to take advantage of the Memorial Day holiday weekend in the United States. Progress Software became aware of the flaw and issued a security alert on May 31, warning its customers to immediately update their software and providing a patch. The Clop group’s exploitation involved unauthorized access to MOVEit file transfer servers to exfiltrate data from numerous organizations that used the software for internal and external file sharing purposes.

One of the organizations affected by this attack was Maximus, a publicly traded health and human services provider based in McLean, Virginia. Maximus used MOVEit for sharing data with government customers, particularly information pertaining to individuals participating in various government programs. Following the security alert issued by Progress Software on May 31, Maximus promptly commenced an investigation into the potential impact on its systems. The company engaged third-party digital forensic investigators to assist with the probe into the security incident. The investigation confirmed that Maximus’s MOVEit environment had been compromised by the Clop group’s attack, resulting in the unauthorized access and exfiltration of data.

The data stolen from Maximus amounted to 169 gigabytes, which was reported as potentially the largest single data set compromised in the broader MOVEit attack campaign. Based on the forensic review of the impacted files, Maximus determined that the stolen information contained highly sensitive personal data. This included Social Security numbers, protected health information, and other personal information belonging to a significant number of individuals. The company reported to federal regulators that the data breach affected at least 8 million to 11 million individuals. The compromised data was related to Maximus’s role as a Medicaid enrollment broker contractor, handling sensitive information on behalf of government programs.

In response to the incident, Maximus undertook a comprehensive response effort. The company filed an 8-K form with the U.S. Securities and Exchange Commission on June 27, 2023, detailing the breach and its expected financial impact. Maximus estimated that it would spend approximately $15 million in costs associated with responding to the hack. A major component of this response involved the process of notifying the millions of affected individuals. The company also offered prepaid credit monitoring and identity theft monitoring services to the victims whose personal information was exposed. The forensic investigation concluded that the attackers had accessed and copied files from the company’s MOVEit server during the exploitation window.

The attack on Maximus was part of a much larger campaign by the Clop group against users of the MOVEit software. By June 27, 2023, the number of organizations directly or indirectly affected by these attacks had surpassed 515. The total number of individuals impacted was reported to be at least 36 million, based on data breach notifications issued by approximately one-fifth of the victim organizations that had publicly disclosed a count. A significant characteristic of the MOVEit attacks was the targeting of service providers, which meant that breaching a single service provider’s MOVEit server often resulted in the compromise of data belonging to multiple other organizations and their customers.

The Clop group added victim organizations to its data leak site, publicly naming them and threatening to release stolen data if ransom demands were not met. In recent days leading up to June 27, the group had added 70 more organizations to its site. Other notable victims included AmeriSave Mortgage Corp., hospitality software vendor Agilysys, the College of American Pathologists, software development firm Informatica, consultancy giant Deloitte, Johns Hopkins Health System, and the Chuck E. Cheese restaurant chain. The group claimed on its leak site that it had deleted any data stolen from government entities, implying it did not attempt to extort them, though it did extort numerous other victims.

The sectoral impact of the broader MOVEit attacks was significant. According to analysis by security firms, 73% of the known victim organizations were based in the United States. The financial services, professional services, and education sectors accounted for the greatest number of known incidents. Specifically, there were 109 U.S. schools, 23 U.S. public sector organizations, and 31 public sector organizations abroad confirmed as victims. The attack on service providers had a cascading effect, as seen with Pension Benefit Information Research Services, also known as PBI. The breach of PBI led to a long list of its financial services customers, such as Teachers Insurance and Annuity Association of America (affecting 2,373,076 individuals), Corebridge Financial (798,000 individuals), Talcott Resolution Life Insurance (557,741 individuals), and Aurora National Life Assurance Co. (48,457 individuals), having to issue their own data breach notifications.

The full scope of the incident continued to evolve, as many organizations were still investigating the intrusions into their systems at the time of reporting. One such organization was the National Student Clearinghouse, which works with over 3,500 colleges and universities and holds data on 17.1 million current postsecondary students. It had not yet determined the full number of individuals affected by the compromise of its MOVEit server. The Clop group’s motivation was primarily financial, with security experts estimating the ransomware group may have cleared $75 million or more by extorting large MOVEit victims. The exact number of organizations that paid a ransom to avoid being named publicly remained unclear. The incident represented a significant supply-chain attack with far-reaching consequences due to the central role MOVEit plays in secure file transfer for numerous industries and government contractors.