Maryland state officials are advising residents to take precautionary measures after the state was implicated in the MOVEit data breach, a cyberattack on the file transfer system that has affected businesses and government agencies globally.
The Maryland Department of Human Services, the state’s primary social services agency, is one of a number of state and federal agencies affected by the MOVEit data breach. The breach is believed to have been caused by a security flaw in the file transfer tool at a third-party vendor contracted by the state, with this vulnerability allowing actors affiliated with the ransomware gang Cl0p to access and attack the data.
According to a news release from the Department of Human Services, the state does not currently believe that any of the stolen data has been sold or used, and the cyber attackers have not reached out to the State of Maryland at this point. Gov. Wes Moore has ordered the Department of Information Technology’s Office of Security to investigate the incident and if any other state agencies were affected, and the office will continue to monitor for vulnerabilities and coordinate a response among agencies and entities that may be involved.
According to Tasha Cornish, executive director of the Cybersecurity Association of Maryland, the data breach represents a classic example of supply chain exploitation and the risk of supply chain-based cybersecurity. With more platforms being used for various file and identity management processes, as soon as attackers are able to find a vulnerability, the entire system can be exploited, making it hard to protect against risk.
Richard Forno, director of UMBC’s Cybersecurity Graduate Program, says that this data breach represents an evolution in how cyberattackers are able to utilize third-party actors instead of targeting companies itself. These vendors have trusted access into organizations and agencies, and cyberattackers are able to use them to breach security measures.
In the news release, the state government advised residents to take a number of steps to safeguard their identity and protect against theft or further attacks, including changing passwords, monitoring and taking steps to secure their credit, and protecting their tax refunds with the Internal Revenue Service. The state also advised residents to remain vigilant and report any suspected identity theft.
Cornish said Marylanders do not need to be too worried, but should keep an eye on credit scores and the use of their Social Security number to safeguard against potential theft.
A number of other state governments also reported that their agencies were affected by the data breach, including drivers’ services, education departments and Medicaid programs. Federal agencies are also among the implicated parties, including the Department of Energy and the Office of Personnel Management.
Thus far, there has been no reason for concern regarding the data compromised from federal and state agencies, but officials are advising people to take precautions to ensure their data is kept safe moving forward, protecting against the possibility of identity theft.
Cyberattacks like the MOVEit data breach will continue to be an issue as people use an increasing number of technological tools with their data, according to Cornish, but the new technology is highly advanced and as secure as possible. Incidents like these are always concerning, but happen with relative frequency given the risks that come with new technologies, according to Forno.
–
