Following Maximus’ confirmation of utilizing MOVEit for internal and external file sharing, concerns arose as personal information may have been compromised by a third party.
Subsequently, another disclosure came to light when the ransomware group responsible for breaching MOVEit MFT decided to remove the healthcare company’s name from its list of victims.
Maximus delisted Cl0p, making it one of 11 companies removed from the ransomware group’s victim list. This has led to speculation about whether the company paid a ransom to the ransomware group.
Maximus delisted by Cl0p ransomware group
“Maximus has been delisted. It’s one of the 11 companies to have been removed from Cl0p’s website after the initial listing,” Threat Analyst Brett Callow tweeted.
In a previous tweet, Brett noted that Maximus has confirmed that the Secure Service Networks and Personal Health Information of 8 to 11 million of its customers were likely affected by the MOVEit breach.
The reasons behind the ransomware group Cl0p decided to delist Maximus from its targeted organizations remain unclear. However, there are conjectures surrounding the possibility of a ransom payment being involved.
In its notice, Maximus wrote that it shares data with government customers about individuals who take part in government programs.
“The Company believes that the personal information of a significant number of individuals was accessed by an unauthorized third party by exploiting this MOVEit vulnerability,” the notice by Maximus added.
The forensic experts of Maximus completed the investigation that confirmed and identified files impacted by the security incident.
Maximus delisted by Cl0p – Cost and data lost due to the MOVEit breach
The following information was likely stolen through the files accessed by hackers –
- Personal information
- Social Security Numbers
- Protected health information
The delisted company stated that it plans to record an expense of nearly $15 million for the investigation and remediation due to the Maximus cyber attack. This cost is estimated for the quarter ending on June 30, 2023.
The statement concluded that the complete investigation to help determine the number of individuals impacted by the Maximus cyber attack may take several weeks.
Failed ransom negotiations, MOVEit vulnerability and Maximus delisted by Cl0p
Recently, Cl0p managed to delist TD Ameritrade which was named as a target of the MOVEit cyber attack. After making negotiation talks with the impacted company, Cl0p delisted TD Ameritrade.
Threat Analyst Brett tweeted about Ofcom that decided not to pay a ransom following the security incident stemming from the MOVEit vulnerability exploitation.
Harris Healthcare confirmed that patient details with names and SSNs were exposed to Cl0p via the MOVEit data breach.
The MOVEit SQL injection vulnerability CVE-2023-34362 exploitation has exposed nearly 513 organizations. This number of impacted individuals has crossed 30 million individuals.
However, the number of impacted individuals by MOVEit cyber attack is predicted to be higher than this as most of the organizations have investigations ongoing. It has not been found or confirmed by over 50% of impacted organizations.
Cl0p has already exploited file-transferring platforms using vulnerabilities. In a joint cybersecurity advisory, CISA, NSA, and ACSC listed steps to be followed in vulnerability management.
It covered helpful points to be taken into consideration by vendors, designers, and developers while working on web application software.
It detailed about IDOR vulnerabilities that allowed hackers to edit, modify and/ or delete objects.