US contractor says info of up to 10 million leaked in MOVEit breach

An IT firm that provides services to Medicaid, Medicare, U.S. student loan servicers and other government programs confirmed that the information of up to 10 million people may have been accessed by hackers exploiting the MOVEit file transfer software.

In a regulatory filing with the U.S. Securities and Exchange Commission (SEC), U.S.-based government services company Maximus said it uses MOVEit “for internal and external file sharing purposes, including to share data with government customers pertaining to individuals who participate in various government programs.”

“Based on the review of impacted files to date, the Company believes those files contain personal information, including social security numbers, protected health information and/or other personal information, of at least 8 to 11 million individuals to whom the Company anticipates providing notice of the incident,” the company said, noting that it is “unable to predict the total number of impacted individuals who will receive notice of the incident until that review is completed.”

“The Company is cooperating with law enforcement regarding this cybersecurity incident. Maximus promptly commenced an investigation of the incident with the assistance of outside legal, forensic and data analytics experts and has taken remedial steps to address the reported vulnerabilities.”

Maximus said it is in the process of notifying its customers as well as federal and state regulators about the incident before it begins the process of sending out breach notifications to the people affected.

Those impacted will be offered free credit monitoring and identity restoration services for an undisclosed amount of time.

The incident will cost the company an estimated $15 million, but they noted that the investigation is ongoing and will last “several more weeks.”

Maximus has more than 34,000 employees and reports an annual revenue of more than $3 billion – providing services to programs like the Children's Health Insurance Program (CHIP) as well as health insurance exchanges required under the Affordable Care Act.

It is also heavily involved in welfare-to-work programs as well as government record tracking during the COVID-19 pandemic.

According to experts at cybersecurity firm Emsisoft, at least 514 organizations have been affected by the MOVEit incident – including 97 U.S. schools.

Deloitte, Flutter and Toyota

The Clop ransomware gang added dozens of new companies, colleges and organizations to its leak site on Wednesday.

A spokesperson for Deloitte told Recorded Future News that they “have seen no evidence of impact to client data” after the “Big Four” accounting and consulting firm was listed by Clop.

“Immediately upon becoming aware of this zero-day vulnerability, Deloitte applied the vendor’s security updates and performed mitigating actions in accordance with the vendor’s guidance,” the spokesperson said.

“Our analysis determined that our global network use of the vulnerable MOVEit Transfer software is limited.”

The spokesperson did not respond to questions about what information was involved in the breach and whether employee data was accessed.

Deloitte, based in London, is the world’s largest professional services network based on revenue and is the third accounting giant to be affected by the exploitation of the file transfer software after both PricewaterhouseCoopers and EY were confirmed to have been victimized by the Clop ransomware gang.

Gambling giant Flutter also said that it was affected by the incident, confirming to Recorded Future News that data was accessed by the hackers exploiting MOVEit.

The company would not say what data was accessed or whether it involved customer information.

Flutter controls several popular gambling brands, including FanDuel, PokerStars, Betfair, Sky Betting & Gaming, and Sportsbet.

Toyota Boshoku Corporation – a member of the Toyota Group of companies – was also added to Clop’s list on Wednesday and previously confirmed that they were affected in a statement released on June 10.

The company said data from its European subsidiary, Toyota Boshoku Europe, was accessed by the hackers. They did not say what data was accessed and did not respond to requests for comment.

On Wednesday Clop also officially added Pension Benefit Information, an organization that verifies beneficiary data for pension funds around the world.

Dozens of organizations around the world have released statements confirming that their information was breached due to the attack on Pension Benefit Information – which also confirmed that it was affected.