The state of Maine made a public disclosure about a massive data breach months after knowing about it.
It is estimated that around 1.3 million people were impacted by the cyberattack that honed in on a weak link that is a vital program used by the state and other organizations.
The state released a statement saying the breach took place between May 28-29 this year.
In the announcement, the government said Maine became aware of "a software vulnerability in MOVEit, a third-party file transfer tool owned by Progress Software and used by thousands of entities worldwide to send and receive data."
The message said the security incident involved an exploitation of a lack of security in one part of the program, and said "a group of cybercriminals" was able to access and download files belonging to certain agencies in Maine.
What Makes The U.S. Vulnerable To Cyberattacks?
According to the White House, ransomware payments reached over $400 million globally in 2020.
The government said Maine then initiated action to protect information from further theft by blocking internet access to and from the MOVEit server, while applying other "security measures recommended" by the maker of the software. Maine retained outside legal representation after the incident and said it reached out to outside cybersecurity professionals to investigate and determine how extensive the theft of data was.
Security professionals believe about 1,000 organizations and millions of individuals were affected.
A report from IBM says data breaches cost, on average, around $165 per record. That could equal millions and even billions of dollars in losses in large data breaches that affect a sizable portion of the population.
The IBM report says that the average cost of a data breach reached an all-time high in 2023, rising to around $4.45 million.
Maine offered two years of complementary credit monitoring and identity-theft protection services to those who had their social security number or taxpayer ID numbers involved in the breach.
The industry publication Government Technology reported that the months of delay in notifying the public has drawn criticism from those who could have been impacted, and from industry leaders.