Maine Government Says Data Breach Affects 1.3 Million Residents

An anonymous reader quotes a report from TechCrunch: The government of Maine has confirmed over a million state residents had personal information stolen in a data breach earlier this year by a Russia-linked ransomware gang. In a statement published Thursday, the Maine government said hackers exploited a vulnerability in its MOVEit file-transfer system, which stored sensitive data on state residents. The hackers used the vulnerability to access and download files belonging to certain state agencies between May 28 and May 29, the statement read. The Maine government said it was disclosing the incident and notifying affected residents as its assessment of the impacted files "was recently completed."

Maine said that the stolen information may include a person's name, date of birth, Social Security number, driver's license and other state or taxpayer identification numbers. Some individuals had medical and health insurance information taken. The statement said the state holds information about residents "for various reasons, such as residency, employment, or interaction with a state agency," and that the data it holds varies by person. According to the state's breakdown of which agencies are affected, more than half of the stolen data relates to Maine's Department of Health and Human Services, with up to about a third of the data affecting the Maine's Department of Education. The remaining data affects various other agencies, including Maine's Bureau of Motor Vehicles and Maine's Department of Corrections, though the government notes that the breakdown of information is subject to change. More than 1.3 million people live in the state of Maine, according to the U.S. Census Bureau.

And? Who goes to prison?

[gweihir]

Nobody? Then this is obviously not an important problem. When an Electrician wires a house so it burns down in a grossly negligent fashion the electrician becomes liable personally and may go to prison. When some IT person blindly relies on questionable tool, exposes tons of confidential data to it and things go to hell, nobody is held personally accountable. Until and unless that changes, IT security will continue to go down the drains, with higher and higher cost for everybody.

Re:

[Slayer]

Not only will nobody go to prison over this, nobody will ever be fired over this aspx crap. SQL injection attacks are sooooo 2011 [wikipedia.org] ...

Re:

[gweihir]

Yep, pretty much. Using Windows for anything important is slowly becoming gross negligence.

Re: And? Who goes to prison?

[Plugh]

Slowly?!?!?

Re:

[gweihir]

Oh, it was simple negligence all along. But gross negligence has pretty high requirements.

Re:

[thegarbz]

Stupid comparison. Burning someone's house down has a wildly different impact than releasing their data. Punishing both acts equally would be asinine, and that's before we talk about the fact that prison has been shown not to be a deterrent to negligence which has an unfathomably low chance of occuring.

And I use the worth unfathomably in that people humans are horrendous at determining risk for rare events and fail to effectively process said risk. Everyone going to jail over such a crime would have said "b

Re:

[Slayer]

Data leakage can cause serious trouble to some people. While burning down an inhabited house is obviously attempted murder, causing widespread enough grief through impersonation and credit fraud triggering suicides might as well count for the same. Gross negligence may even be too weak a charge in this case: there was a court case in Germany, in which a downtown car racer was convicted for murder after an accident. Like it or not, this argument for stronger liability makes sense to legal experts.

BTW after S

Re:

[thegarbz]

Data leakage can cause serious trouble to some people.

It can. Maybe. Possibly. The law doesn't deal with "possibly". You need to demonstrate harm, such as losing your house, or being killed by a racing driver.

Re:

[Slayer]

That downtown racer did not want to kill a pedestrian, but his driving style made that extremely likely, and during the race he may not even have been aware of this. If my live and liberty depends on noone blowing his/her brains out over some demolished credit rating due to this leak, then I'd stay the hell away from shoddy Windows software ...

Re:

[misnohmer]

LOL, really, in criminal law you need to demonstrate harm? If you get in a car and do 100 miles per hour through a school zone, but didn't hit anyone or anything. Sure, you broke traffic law, so you get a ticket and maybe even lose a driver's license, but according to your legal expertise, no criminal charges such as reckless driving, engendering the public or minors, would ever stick in court unless you actually hit someone? How about firing a weapon into a crowd but not hitting anyone, not criminal becaus

Re:

[misnohmer]

If a professional does a crappy job, you can choose not to hire them again. If the government loses your data, good luck demanding that they wipe all your data and give you the option to never give them any sensitive data ever again, because you don't trust them.

Wow! Who Knew?

[93 Escort Wagon]

I had no idea Maine had that many citizens.... I thought it was only a few dozen people.

Re:

[DrMrLordX]

Gotta harvest them potatoes.

Re:

[classiclantern]

I was surprised too. Current estimates show there are now 1,329,328 people living in the state, so yeah, everyone but Hermits and Preppers.

huh. they should have hired me.

[drwho]

I am a Maine resident. I submitted a proposal to do a pentest on state systems back in 2020, because I thought I saw some vulns. they ignored me. Oh well.

Re:

[Train0987]

Maine's "system" wasn't hacked, a 3rd-party file management system used by many state govt's was. It's an easy mistake, one has to make it to the second sentence of the summary for that info.

But It Was OK For State To Have Data.

[zenlessyank]

We are such good citizens.

Re:

[Anonymous Coward]

How else do you propose providing state services? Licenses? Taxes? Maybe they should just remember your face.

Re:

[The Evil Atheist]

It was much easier to get away with stuff in the past.

Re:

[herberttlbd]

MOVEit was used by a lot more than governments. You can complain about government intrusion all you want but market demands can lead to a competitve advantage and surely someone who rallies against the government wouldn't be against the free market.

Re:

[gtall]

Sure, let's put Maine back in the 1950s.

I am missing a bunch of explanations

[at10u8]

All the promotional text for MOVEit says the data are encrypted, but somehow this cannot be true? Why do state agencies need to use a third party to move large databases between their own machines? What is the perceived use case for this software and how is the vendor convincing people that they have a good solution?

Re:

[Train0987]

SQL injections in MOVEit's web console login fields.

https://www.kolide.com/blog/mo... [kolide.com]

Re:

[herberttlbd]

I believe they support encryption in transmission and for files but both are optional to accommodate every workflow. The breach happened because the database was compromised due to SQL injection meaning the password and keys were exposed.

Why do state agencies need to use a third party

[Mirnotoriety]

at10u8 [slashdot.org]: “All the promotional text for MOVEit says the data are encrypted, but somehow this cannot be true? Why do state agencies need to use a third party to move large databases between their own machines? What is the perceived use case for this software and how is the vendor convincing people that they have a good solution?”

a. Political contributions on Capitol Hill.

b. Homeland Security runs on MICROS~1

c. We're all fcüked :(

Quis custodiet custodes

[Bruce66423]

Who guards the guardians? Holding states authorities accountable for behaviour which in the private sector would attract criminal sanctions is a long term problem. It's within living memory that the UK abandoned the concept of 'Crown immunity', which had meant that all state operated institutions couldn't be prosecuted; in the UK this, of course, included hospitals. Now we have a steady flow of such prosecutions, though having little effect it seems; the actual managers responsible are seldom in the dock themselves.

One plausible solution is to require all data holders and their contractors to have significant insurance cover and to encourage the insurers to enforce strict testing strategies. Unfortunately the nature of the forever changing tech landscape is that there can never be real certainty; the inevitable risk is a price we have to pay

So after 5 months....Maine confirms data breach

[bsdetector101]

So after 5 months..... Why is always months or years later that a breach is announced, really !!!! And it never said anything about offering to watch your credit services !! My personal info has breached 3 times in 2 years and currently have to watches with credit services. Companies you deal with want all your personal info and CAN'T protect it !!

Re:

[burtosis]

I think the reasoning is if everyone lets your data be stolen then you can’t point to a single leak and no one is responsible.

Re:

[HiThere]

"CAN't" or "don't choose to". Doing decent security is always a bit more expensive and often inconvenient.

So what all this is readily available nowadays

[blahbooboo]

all this information is widely available nowadays from the endless data leaks in the last 15 years. Freeze all your credit lines and move on.

Re:

[burtosis]

Exactly. At this point it’s not if a person had their data stolen, it’s how many times and how recently. Everyone has likely had it stolen at least a dozen times by now.

Who knew MOVEit was so widespread?

[cascadingstylesheet]

Time to "man rsync" maybe?

MOVEit Again? Duh!

[oldgraybeard]

Rinse and Repeat! Rinse and Repeat!