Government services provider Maximus has disclosed a major data breach, revealing that up to 11 million individuals’ personal information was stolen in the MOVEit cyberattack earlier this year.
The attack, which was made public in May, exploited a zero-day vulnerability in the MOVEit Transfer managed file transfer (MFT) software, granting cybercriminals access to data transferred through the service.
As of July 26, the cyberattack impacted 513 organizations, with an estimated 35 million individuals’ data compromised in the malicious campaign, according to cybersecurity firm Emsisoft.
Maximus confirmed its involvement in the breach through a Form 8-K filing with the US Securities and Exchange Commission. The company uses MOVEit for internal and external file sharing, including data shared with government customers participating in various government programs. The attackers obtained files containing personal and protected health information, including Social Security numbers, affecting at least 8 to 11 million individuals.
The investigation into the incident is ongoing, and Maximus is preparing to notify those affected by the breach.
Despite the scale of the attack, Maximus stated that there is no evidence of an impact on its internal IT systems or its customers beyond the MOVEit environment. The company’s business operations have not been materially interrupted due to the incident.
However, the investigation and remediation activities associated with the breach are expected to result in expenses of approximately $15 million for the quarter ended June 30, 2023. Maximus, headquartered in Reston, Virginia, collaborates with government agencies in the US, Australia, Canada, and the UK, managing and administering various government-sponsored health and human services programs, and employs over 34,000 individuals.