Maximus, a US government contractor, says the health data of up to 11 million individuals was accessed by hackers exploiting a MOVEit zero-day flaw.
MOVEit is a secure file transfer utility used by many organizations. Unfortunately, the company behind it discovered a zero-day vulnerability that allowed hackers to gain access, according to an SEC filing by Maximus:
On May 31, 2023, Progress Software Corporation, the developer of MOVEit (“MOVEit”), a file transfer application used by many organizations to transfer data, announced a critical zero-day vulnerability in the application that allowed unauthorized third parties to access its customers’ MOVEit environments. It appears that a significant number of commerhttps://www.sec.gov/ix?doc=/Archives/edgar/data/1032220/000103222023000061/mms-20230726.htmcial and government customers worldwide were affected by this vulnerability. Maximus, Inc. (“Maximus” or the “Company”) uses MOVEit for internal and external file sharing purposes, including to share data with government customers pertaining to individuals who participate in various government programs. The Company believes that the personal information of a significant number of individuals was accessed by an unauthorized third party by exploiting this MOVEit vulnerability. The Company is cooperating with law enforcement regarding this cybersecurity incident.
Maximus estimates that investigation and remediation costs will come in at $15 million.