Security News > 2023 > July > Medical files of 8M-plus people fall into hands of Clop via MOVEit mega-bug

Accounting giant Deloitte, pizza and birthday party chain Chuck E. Cheese, government contractor Maximus, and the Hallmark Channel are among the latest victims that the Russian ransomware crew Clop claims to have compromised via the MOVEit vulnerability.

The biz now joins PwC and Ernst and Young - all three big accounting firms - among the hundreds of organizations compromised by Clop via a security hole in vulnerable deployments of the file-transfer tool MOVEit.

In a US Securities and Exchange Commission filing on Wednesday, Maximus, which does the admin for US government programs like Medicaid and Medicare, disclosed that the personal information of as many as 11 million individuals' was "Accessed" by Clop.

"Based on the review of impacted files to date, the company believes those files contain personal information, including social security numbers, protected health information and/or other personal information, of at least 8 to 11 million individuals to whom the company anticipates providing notice of the incident," Maximus's 8-K filing to the SEC stated.

The team has been scouring state breach notifications, SEC filings, other public disclosures, and Clop's website to update their list of affected orgs and people at least every 24 hours since the fiasco started.

"How many organizations and individuals have been impacted by this incident remains to be seen," Emsisoft Threat Analyst Brett Callow told The Register.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/07/27/maximus_deloitte_moveit_hack/