Millions of People Affected in MOVEit Attack on US Govt Vendor

Living up to its name, Maximus sees a whale of a breach that affects millions of peoples sensitive government records, including health data.

The MOVEit breach has claimed yet another target: Maximus Inc., a US government contractor. Though the companys internal systems were unaffected, 8 to 11 million peoples personal information may have been compromised.
Maximus provides technology services for administering and managing government programs like student loan servicing, and Medicaid and Medicare. It operates in Australia, Canada, the UK, and the US employing more than 39,000 people with an annual revenue exceeding $4.25 billion,
according to its website
.
In
its 8-K form for investors
, filed with the Securities and Exchange Commission (SEC) on July 26, the company revealed that it had been a victim of
the GoAnywhere MOVEit attack
, carried out by
the Cl0p ransomware gang
. The attackers appear to have accessed files which contain personal information, including Social Security numbers, protected health information, and/or other personal information, of at least 8-to-11 million individuals, the company noted in its 8-K.
In a statement provided to Dark Reading, Maximus emphasized that we have not identified any impact from the MOVEit vulnerability on other parts of our corporate network and remain confident in the integrity of the network.
Meanwhile the company estimated in its 8-K that its breach-related expenses in the second quarter came to around $15 million.
Nearly two months on, new victims of the MOVEit breach are still revealing themselves. It was May 27 when hackers began exfiltrating data via
a zero-day SQL injection vulnerability
in GoAnywheres MOVEit file transfer software.
In the month following
GoAnywheres disclosure of the incident
, NCC Group tracked a
211% rise in ransomware attacks
, 21% of the total owing to Cl0p. More recently, the antivirus company
Emsisoft has tracked 514 organizations
, and almost 36.1 million individuals, known to be affected by the MOVEit breach. The overwhelming majority — 72.7% — are based in the US, and 10.5% occupy the public sector.
Even the act of measuring such a wide blast radius is fraught, though, as Maximus — a vendor for government organizations in four countries, managing millions of individuals sensitive records — demonstrates.
Some of the organizations impacted provide services to multiple other organizations, and so the numbers are likely to increase significantly as those organizations start to file notifications, Emsisoft noted in its assessment of the scope of the incident.
So its not just MOVEits own customers at risk — customers of MOVEits customers will also have to watch their backs.
They need to make sure that theyre constantly updating and tracking their intrusion detection systems, says Kurt Osburn, director of risk management and governance at NCC Group. They need to make sure that theyre doing penetration testing and vulnerability scanning, constantly, to make sure nobodys accessing records. And they need to make sure that any transactions they do with individuals or with other companies are encrypted.
Beyond businesses, there are millions of individuals in the firing line. Maximus occupies a privileged place in the government supply chain, and manages millions of peoples economic, health, and other sensitive records, making it a particularly attractive target for Dark Web personal data merchants, and particularly dangerous for the folks who may not even realize theyre caught up in such a mess.
Medical records are worth probably upwards of $1,000 [each] on the Dark Web, Osborn emphasizes, because you can get Social Security numbers, addresses, phone numbers, dates of birth. And so you can buy houses, set up credit cards, file fake tax returns — its all fair game if youve got protected medical healthcare information that has everything important about an individual.
He adds, Its going to continue to be a problem because of the value of the records — what hackers can do with them, noting that a compromise like this can drag on for years.
Ive personally been breached more times than I can count, but nothing ever happens. Nothing changes, he says.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Millions of People Affected in MOVEit Attack on US Govt Vendor