Government services provider Maximus Inc. is the latest victim of the Clop ransomware gang’s targeting of a critical vulnerability in Progress Software Corp.’s MOVEit file transfer software, as data belonging to as many as 11 million people was stolen.

Maximus, which provides services for Medicaid, Medicare, health care reform, welfare-to-work and student loan servicing, disclosed it had been hacked in a U.S. Securities and Exchange Commission filing. The July 26 filing states that the company became aware that data could have been compromised after the revelation that the MOVEit file transfer software had been compromised on May 31, but does not give a specific date when it detected that its internal systems had also been compromised.

After ordering an investigation of the incident, Maximus found data belonging to at least 8 million to 11 million individuals had been affected. The data stolen included personal information, including Social Security numbers, protected health information and personally identifiable information.

Maximus is informing affected customers and is working with federal and state regulators. Customers will also be offered free credit monitoring and identification restoration services.

The one thing that isn’t clear from the disclosure is whether the victims were exclusively in the U.S. or other countries. Although reports refer to Maximus as a “U.S. government contractor,” the company also provides services to governments in other English-speaking countries such as Canada, the U.K. and Australia.

Maximus isn’t the first organization to be compromised by the vulnerability in MOVEit. On June 7, it was reported that the BBC, British Airways Plc and the pharmacy chain Boots UK Ltd. may have had payroll data stolen in a MOVEit attack. On June 15, the list of known victims grew to include the U.S. Department of Energy, Shell Plc, UnitedHealthcare Student Resources, the University of Georgia, the University System of Georgia, Heidelberger Druckmaschinen AG and Landal Greenparks.

MOVEit is managed file transfer software designed to provide secure and compliant file transfers for sensitive data within and between organizations. The vulnerability, officially designated CVE-2023-34362, allows an unauthenticated, remote attacker to send a specially crafted SQL injection to a vulnerable MOVEit Transfer instance.

“This massive exploit of the MOVEit vulnerability is yet another demonstration of the importance of securing the software supply chain when it comes to data privacy,” Ray Kelly, a fellow at the Synopsys Software Integrity Group, told SiliconANGLE. “The key takeaway for business leaders is clear – just a single vulnerability in one piece of a third-party vendor’s software can lead to the compromise and exposure of personally identifiable information across every organization that vendor services.”

Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, warned that a breach in the healthcare sector is highly damaging given the sensitive nature of the data involved.

The breach “exposes some of the most private personal and medical information of an already vulnerable section of the population, leading to identity theft, medical fraud, and financial losses for individuals and organizations,” Shadabi said. “Such incidents erode trust, impact patient safety and incur heavy legal and regulatory consequences.”

Image: Maximus