One year on, universities org admits MOVEit attack hit data of 800K people
Nearly 95M people in total snagged by flaw in file transfer tool
Just short of a year after the initial incident, the state of Georgia's higher education government agency has confirmed that it was the victim of an attack on its systems affecting the data of 800,000 people.
University System of Georgia (USG), which oversees 26 higher education institutions in the USA state, filed a disclosure with the attorney general of Maine on Tuesday – the first time it has publicly explained the incident it detected on May 31, 2023.
In a letter sent to the 800,000 victims, USG explained that the breach was actually one of many from last year linked to the Cl0p gang's exploitation of a since-patched flaw in Progress Software's MOVEit MFT tool.
"The files and information obtained by this cybercriminal group will likely be published on its website," reads the letter, which is dated April 15.
The data accessed by the cybercriminals may include full social security numbers (SSNs), the last four digits of SSNs, dates of birth, bank account numbers, and federal income tax documents with tax ID numbers.
"USG takes protecting personal information seriously and is taking steps to prevent a similar occurrence in the future," the letter adds.
"MOVEit Transfer software operating at USG was immediately blocked upon detection of the breach on May 31, 2023, and has now been fully updated and secured in accordance with guidance from Progress Software and CISA. After updating and securing the system, USG immediately began a lengthy investigation to determine which individuals may have been impacted by the incident."
Not included in the letter are additional details from the filing in Maine, which suggests driving license numbers may also be included.
USG began alerting victims to the incident from April 15, with subsequent letters being sent over the following two days, the filing shows. This was the earliest point at which victims were made aware that their data may be in the hands of criminals. No other data breach notifications were made within the last 12 months, at least in Maine.
Only a small number of states have a public portal to view breach notifications, and California's shows USG reported the same MOVEit breach slightly earlier on March 28 this year.
- MOVEit victim count latest: 2.6K+ orgs hit, 77M+ people's data stolen
- MOVEit cybercriminals unearth fresh zero-day to exploit on-prem SysAid hosts
- Regulator, insurers and customers all coming for Progress after MOVEit breach
- MOVEit breach delivers bundle of 3.4 million baby records
US state law doesn't set a deadline for reporting security breaches in the same way as the GDPR does, for example, so for those wondering what action USG will face for disclosing so late, the answer is probably none.
Most states simply use the wording "without unreasonable delay," or something equally unspecific, when describing the ideal window for disclosing security incidents, which is why these kinds of waits are allowed to happen.
Victims of USG's MOVEit breach have been offered the usual 12 months of credit monitoring from credit reference agency Experian. "USG regrets any inconvenience or concern caused by this incident," is the closest the government department came to an apology.
Security shop Emsisoft has tracked the number of victims and scale of the MOVEit breach since the exploitation of a critical bug in the software (CVE-2023-34362) began in late May 2023.
The current number of organizations that fell victim stands at 2,771, and the total number of affected individuals is just shy of 95 million.
Major organizations such as the BBC and British Airways fell victim to Cl0p's attacks despite the large majority of data breaches targeting North America.
According to Emsisoft's tracker, government contractor Maximus and healthcare SaaS company Welltok are the two organizations hit hardest by the attacks. The businesses lost records belonging to 11.3 million and 10 million people respectively. ®