Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security United States

Maine Government Says Data Breach Affects 1.3 Million Residents (techcrunch.com) 40

An anonymous reader quotes a report from TechCrunch: The government of Maine has confirmed over a million state residents had personal information stolen in a data breach earlier this year by a Russia-linked ransomware gang. In a statement published Thursday, the Maine government said hackers exploited a vulnerability in its MOVEit file-transfer system, which stored sensitive data on state residents. The hackers used the vulnerability to access and download files belonging to certain state agencies between May 28 and May 29, the statement read. The Maine government said it was disclosing the incident and notifying affected residents as its assessment of the impacted files "was recently completed."

Maine said that the stolen information may include a person's name, date of birth, Social Security number, driver's license and other state or taxpayer identification numbers. Some individuals had medical and health insurance information taken. The statement said the state holds information about residents "for various reasons, such as residency, employment, or interaction with a state agency," and that the data it holds varies by person. According to the state's breakdown of which agencies are affected, more than half of the stolen data relates to Maine's Department of Health and Human Services, with up to about a third of the data affecting the Maine's Department of Education. The remaining data affects various other agencies, including Maine's Bureau of Motor Vehicles and Maine's Department of Corrections, though the government notes that the breakdown of information is subject to change. More than 1.3 million people live in the state of Maine, according to the U.S. Census Bureau.

This discussion has been archived. No new comments can be posted.

Maine Government Says Data Breach Affects 1.3 Million Residents

Comments Filter:
  • by gweihir ( 88907 ) on Thursday November 09, 2023 @10:58PM (#63994839)

    Nobody? Then this is obviously not an important problem. When an Electrician wires a house so it burns down in a grossly negligent fashion the electrician becomes liable personally and may go to prison. When some IT person blindly relies on questionable tool, exposes tons of confidential data to it and things go to hell, nobody is held personally accountable. Until and unless that changes, IT security will continue to go down the drains, with higher and higher cost for everybody.

    • by Slayer ( 6656 )

      Not only will nobody go to prison over this, nobody will ever be fired over this aspx crap. SQL injection attacks are sooooo 2011 [wikipedia.org] ...

    • Stupid comparison. Burning someone's house down has a wildly different impact than releasing their data. Punishing both acts equally would be asinine, and that's before we talk about the fact that prison has been shown not to be a deterrent to negligence which has an unfathomably low chance of occuring.

      And I use the worth unfathomably in that people humans are horrendous at determining risk for rare events and fail to effectively process said risk. Everyone going to jail over such a crime would have said "b

      • by Slayer ( 6656 )

        Data leakage can cause serious trouble to some people. While burning down an inhabited house is obviously attempted murder, causing widespread enough grief through impersonation and credit fraud triggering suicides might as well count for the same. Gross negligence may even be too weak a charge in this case: there was a court case in Germany, in which a downtown car racer was convicted for murder after an accident. Like it or not, this argument for stronger liability makes sense to legal experts.

        BTW after S

        • Data leakage can cause serious trouble to some people.

          It can. Maybe. Possibly. The law doesn't deal with "possibly". You need to demonstrate harm, such as losing your house, or being killed by a racing driver.

          • by Slayer ( 6656 )

            That downtown racer did not want to kill a pedestrian, but his driving style made that extremely likely, and during the race he may not even have been aware of this. If my live and liberty depends on noone blowing his/her brains out over some demolished credit rating due to this leak, then I'd stay the hell away from shoddy Windows software ...

          • LOL, really, in criminal law you need to demonstrate harm? If you get in a car and do 100 miles per hour through a school zone, but didn't hit anyone or anything. Sure, you broke traffic law, so you get a ticket and maybe even lose a driver's license, but according to your legal expertise, no criminal charges such as reckless driving, engendering the public or minors, would ever stick in court unless you actually hit someone? How about firing a weapon into a crowd but not hitting anyone, not criminal becaus
      • If a professional does a crappy job, you can choose not to hire them again. If the government loses your data, good luck demanding that they wipe all your data and give you the option to never give them any sensitive data ever again, because you don't trust them.
  • by 93 Escort Wagon ( 326346 ) on Thursday November 09, 2023 @11:34PM (#63994887)

    I had no idea Maine had that many citizens.... I thought it was only a few dozen people.

  • by drwho ( 4190 ) on Thursday November 09, 2023 @11:43PM (#63994897) Homepage Journal

    I am a Maine resident. I submitted a proposal to do a pentest on state systems back in 2020, because I thought I saw some vulns. they ignored me. Oh well.

    • Maine's "system" wasn't hacked, a 3rd-party file management system used by many state govt's was. It's an easy mistake, one has to make it to the second sentence of the summary for that info.

  • We are such good citizens.

    • by Anonymous Coward

      How else do you propose providing state services? Licenses? Taxes? Maybe they should just remember your face.

  • All the promotional text for MOVEit says the data are encrypted, but somehow this cannot be true? Why do state agencies need to use a third party to move large databases between their own machines? What is the perceived use case for this software and how is the vendor convincing people that they have a good solution?
    • SQL injections in MOVEit's web console login fields.

      https://www.kolide.com/blog/mo... [kolide.com]

    • I believe they support encryption in transmission and for files but both are optional to accommodate every workflow. The breach happened because the database was compromised due to SQL injection meaning the password and keys were exposed.

    • at10u8 [slashdot.org]: “All the promotional text for MOVEit says the data are encrypted, but somehow this cannot be true? Why do state agencies need to use a third party to move large databases between their own machines? What is the perceived use case for this software and how is the vendor convincing people that they have a good solution?

      a. Political contributions on Capitol Hill.

      b. Homeland Security runs on MICROS~1

      c. We're all fcüked :(
  • by Bruce66423 ( 1678196 ) on Friday November 10, 2023 @03:58AM (#63995091)

    Who guards the guardians? Holding states authorities accountable for behaviour which in the private sector would attract criminal sanctions is a long term problem. It's within living memory that the UK abandoned the concept of 'Crown immunity', which had meant that all state operated institutions couldn't be prosecuted; in the UK this, of course, included hospitals. Now we have a steady flow of such prosecutions, though having little effect it seems; the actual managers responsible are seldom in the dock themselves.

    One plausible solution is to require all data holders and their contractors to have significant insurance cover and to encourage the insurers to enforce strict testing strategies. Unfortunately the nature of the forever changing tech landscape is that there can never be real certainty; the inevitable risk is a price we have to pay

  • So after 5 months..... Why is always months or years later that a breach is announced, really !!!! And it never said anything about offering to watch your credit services !! My personal info has breached 3 times in 2 years and currently have to watches with credit services. Companies you deal with want all your personal info and CAN'T protect it !!
    • I think the reasoning is if everyone lets your data be stolen then you can’t point to a single leak and no one is responsible.
    • by HiThere ( 15173 )

      "CAN't" or "don't choose to". Doing decent security is always a bit more expensive and often inconvenient.

  • all this information is widely available nowadays from the endless data leaks in the last 15 years. Freeze all your credit lines and move on.
    • Exactly. At this point it’s not if a person had their data stolen, it’s how many times and how recently. Everyone has likely had it stolen at least a dozen times by now.
  • Rinse and Repeat! Rinse and Repeat!

One small step for man, one giant stumble for mankind.

Working...