IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

MOVEit Hits Maine: More Than 1 Million People Affected

The breach affected more than half of the data held by state’s Department of Health and Human Services, as well as data from other agencies. The incident affects 1.3 million people, in some cases exposing Social Security numbers.

A hacking concept image of red exclamation mark over an infected network.
Shutterstock/Chor muang
Maine is one of the latest MOVEit victims to come forward. On Nov. 9, the state announced that the data belonging to more than 1.3 million people had been compromised in a massive cyber incident.

In late May, cyber extortionists CL0P compromised third-party secure file transfer service MOVEit, affecting those who used the tool. In June, the group began naming victims worldwide. Counted among the U.S. victims are several federal agencies and several states.

Maine recently finished assessing just how much the impact affected it. Now with the full list of affected individuals in hand, it’s reaching out to notify them.

The specific compromised details may vary by person, but could include dates of birth, driver’s license numbers, Social Security numbers, state identification numbers and/or taxpayer identification numbers as well as medical and health insurance information, per the state.

More than half of the data held by the state Department of Health and Human Services was affected, while 10 to 30 percent of the data held by the Department of Education was likely compromised, state officials said.

There are eight further agencies for which portions of their data that was exposed is either unknown to the state or is less than 1 percent. These include the Department of Administrative and Financial Services’ Office of the Controller; Workers’ Compensation Board; Bureau of Motor Vehicles; Department of Corrections; Department of Economic and Community Development; Department of Administrative and Financial Services’ Bureau of Human Resources; Department of Professional and Financial Regulation; and the Department of Labor’s Bureau of Unemployment Compensation.

A few agencies had information exposed on no more than 10 people. Those agencies include Revenue Services, the Center for Disease Control & Prevention and the Department of Public Safety’s Gambling Control Unit.

The state emphasized that the incident only impacted Maine’s MOVEit server, leaving other state networks and systems unaffected. Upon becoming aware of the incident, officials responded by blocking Internet access to and from those servers. It also adopted security measures recommended by Progress Software, the company behind the file transfer software, and brought in outside cybersecurity experts to help investigate the extent and nature of the incident.


The state is notifying impacted individuals and set up a dedicated call center to field questions. Individuals also can call to confirm whether or not they were affected.

People whose taxpayer identification numbers or Social Security numbers were exposed can call in for assistance getting two free years of credit monitoring and identity theft protection.

The line is open 9 a.m. – 9 p.m. Monday through Friday at 877-618-3659.
Jule Pattison-Gordon is a senior staff writer for Government Technology. She previously wrote for PYMNTS and The Bay State Banner, and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.