USA: Hackers harvest data from 1.3 million people

Road sign at the Maine border
Companies in Germany were also affected by the security vulnerabilities in the MOVEit software that were exploited in Maine.(Source: IMAGO / agefotostock)

Hackers stole sensitive personal data from residents in the U.S. state of Maine. The local government confirmed this on Thursday. According to them, about 1.3 million people were affected – almost the entire population of Maine.

As the local government in Maine communicated, data such as names, social security numbers, birth dates, driver’s licenses and tax identification numbers were stolen in the attack. The stolen data differs from person to person – residents of Maine are to call a hotline to find out which data of theirs has been stolen.

In addition, for some individuals “certain types of medical information” and health insurance data may have been obtained from the theft.

In particular, social security numbers and driver’s licenses are sensitive information as they can also be used as a proof of identity – therefore, criminals could use these details for identity theft. The Social Security Administration warns that every year millions of Americans are victims of identity theft. Criminals can also find out additional information about those affected with the help of social security numbers.

Global attacks resulting from MOVEit security vulnerabilities

As a background to the attack, there were known security vulnerabilities in the data transfer software MOVEit since the end of May – the software has since been updated. The attack on systems in Maine occurred at the end of May. The MOVEit server was taken offline, updates were installed and external IT security experts were consulted. A subsequent investigation has now been completed so that residents could be notified of the data theft.

Across the globe, numerous organisations were attacked using the security vulnerabilities. As the news agency Bloomberg reported this past week, criminals accessed more than 630,000 email addresses at the U.S. Justice Department and parts of the Defense Department.

Additionally, criminals in U.S. states Louisiana and Oregon harvested data from millions of driver’s licenses. Sensitive data from millions of people was also taken from a service provider, Maximus, used by the U.S. government – including social security numbers and health data.

In Germany, it was also made known that security vulnerabilities in MOVEit were exploited to access data from the service provider, Majorel. Through their subsidiary company,, the provider wants to make it easier for bank customers to change from one financial institution to another. In the attack, data was stolen from thousands of customers from Deutsche Bank, Postbank as well as the direct banks ING and Comdirect.

Even the German price comparison website, Verivox, as well as an external service provider of Barmer-Krankenkasse (Barmer Health Insurance), exploited MOVEit vulnerabilities and stole personal data.

Data stolen from millions of people

The German Federal Office for Information Security (BSI) issued a security warning in the beginning of June and stated in it that there was a “need for immediate action” – the updates already made available by the manufacturer should be installed “promptly”.

According to data from the IT security company, Emsisoft, more than 2,500 organisations and the data from more than 69 million people have been affected. Among other things, the company analysed data leak reports and stock market reports for their statistics. (js)