MOVEit Global Security Incident

Last updated: April 10, 2024

Information for Maine Residents and Impacted Individuals

Maine encourages individuals to take steps to protect their personal information.

Overview

We are sharing information relating to a cyber incident that exploited a vulnerability in a widely used file transfer tool, MOVEit, which is owned by Progress Software. This event has had a global impact, affecting thousands of organizations, including certain agencies in the State of Maine. While impacted individuals may receive notice of this incident separately, we are sharing details broadly on our website. Please visit this website for the latest updates relating to this incident.

What Happened?

On May 31, 2023, the State of Maine became aware of a software vulnerability in MOVEit, a third-party file transfer tool owned by Progress Software and used by thousands of entities worldwide to send and receive data. The software vulnerability was exploited by a group of cybercriminals and allowed them to access and download files belonging to certain agencies in the State of Maine between May 28, 2023, and May 29, 2023.

Importantly, as it pertains to the State, this incident was specific and limited to Maine’s MOVEit server and did not impact any other State networks or systems.

Since the onset of the incident, the cybercriminals involved claimed their primary targets were businesses, with a promise to erase data obtained from certain entities, including governments. Despite their assertions that any data obtained from government has been erased, the State is urging individuals to take steps to protect their personal information.

What Information Was Involved?

In its initial assessment, the State of Maine has determined that this incident has impacted approximately 1.3 million individuals, with the type of data affected differing from person to person. The State encourages individuals to reach out to its dedicated call center to verify if they were affected and, if so, to identify what specific data of theirs was involved.

The State of Maine may hold information about individuals for various reasons, such as residency, employment, or interaction with a state agency. The State also engages in data sharing agreements with other organizations to enhance the services it provides to its residents and the public.

The specific information involved in this incident varies based on the individual and their association with the State. However, the following types of information may have been involved: name, Social Security number (SSN), date of birth, driver’s license/state identification number, and taxpayer identification number. In addition, for some individuals, certain types of medical information and health insurance information may be involved.

Back to top

Why Am I Hearing About This Now?

The State of Maine carried out an extensive evaluation to identify the individuals whose information may have been impacted. This assessment was a critical component of Maine's response, as it facilitated the State in providing notifications to those who may have been affected. Following this assessment, the State initially notified impacted individuals in November 2023 through various communication channels, including through a nationwide media press release, letter mail and/or email.

After further review and evaluation of the affected data, the State issued a second set of notifications. This was done either to alert those who had been previously notified that more data elements might be involved, or to inform those who were initially considered unaffected by the incident that their information might be implicated. If you belong to either of these groups, you might be receiving this incident notification now to ensure you are fully informed and so that you can take steps to safeguard your information.

The State has concluded its investigation at this point and does not foresee issuing additional notices related to this incident.

Back to top

What Did Maine Do to Respond to the Incident?

As soon as the State became aware of the incident, the State took steps to secure its information, including by blocking internet access to and from the MOVEit server. The State also implemented security measures recommended by Progress Software, engaged the services of outside legal counsel, engaged external cybersecurity experts to investigate the nature and scope of the incident, and conducted an extensive investigation to determine what information was involved.

The State of Maine is also offering two years of complimentary credit monitoring and identity theft protection services to individuals whose Social Security numbers or taxpayer identification numbers were involved.

Back to top

How Do I Find Out if My Information Was Involved?

Individuals are encouraged to contact Maine's dedicated call center to find out if their data was involved or if they have questions about this incident. The phone number is (877) 618-3659, with representatives available from Monday to Friday, 9 AM to 9 PM ET. If it is determined that an individual’s Social Security number or taxpayer identification number is involved, the call center will provide the individual with a complimentary credit monitoring code.

Individuals who receive a code for credit monitoring may enroll in the services by calling (866) 622-9303. Representatives are there to assist you from Monday to Friday, 8 AM to 11 PM ET, and on Saturday from 9 AM to 6 PM ET.

Adults may also enroll online by visiting https://app.identitydefense.com/enrollment/activate/stme. Minors may be enrolled online by visiting https://app.minordefense.com/enrollment/activate/stemd. Remember to have your code handy when you're ready to enroll.

The State of Maine is also actively notifying impacted individuals through various communication channels, including through a nationwide media press release, letter mail, and/or email.

Back to top

I Received a Letter About this Incident with a Return Address from Portland, Oregon. Is this Legit?

Yes. The State of Maine is working with a partner with a mailing facility in Portland, Oregon. The letters are legitimate.

Back to top

I received an email from the address noreply@stateofmainenotice.com. Is it safe to open?

Yes, this email is legitimate and safe to open. It comes from a partner and trusted source working on behalf of the State of Maine.

Back to top

Which State Departments/Agencies/Divisions Were Affected by the Incident?

The State Departments/Agencies/Divisions (listed below) were affected by the incident to varying degrees.

The impacted State Departments/Agencies/Divisions, along with the Division’s percentage range of the impacted individuals are listed below, This information is subject to change if new information is learned.

Over 50%

• Maine Department of Health and Human Services

10 – 30 %

• Maine Department of Education
• Maine Department of Administrative and Financial Services – Office of the Controller 
• Maine Department of Administrative and Financial Services – Bureau of General Services, Office of Procurement Services

5 – 10 %

• Maine Workers’ Compensation

Unknown or Less than 1 %

• Maine Bureau of Motor Vehicles 
• Maine Department of Corrections 
• Maine Department of Economic and Community Development 
• Maine Department of Administrative and Financial Services - Bureau of Human Resources 
• Maine Department of Professional and Financial Regulation 
• Maine Department of Labor - Bureau of Unemployment Compensation

Some State Departments/Agencies/Divisions, including Maine Revenue Services, Center for Disease Control & Prevention, and Department of Public Safety – Gambling Control Unit had fewer than 10 individuals impacted by the incident.

Back to top

What Can I Do to Protect My Information?

We recommend all individuals take steps to protect their personal information including:

1. Review Your Accounts for Suspicious Activity.

   We encourage you to remain vigilant by regularly reviewing your accounts and monitoring credit reports for suspicious activity.

2. Order A Credit Report.

   If you are a U.S. resident, you are entitled under U.S. law to one free credit report annually from each of the three nationwide consumer reporting agencies. To order your free credit report, visit https://www.annualcreditreport.com or call toll-free at 1-877-322-8228. If you discover information on your credit report arising from a fraudulent transaction, you should request that the credit reporting agency delete that information from your credit report file. Contact information for the nationwide credit reporting agencies is provided in the next section.

3. Contact the Federal Trade Commission, Law Enforcement, and Credit Bureaus.

   You may contact the Federal Trade Commission (“FTC”), your state’s Attorney General’s office, or law enforcement, to report incidents of identity theft or to learn about steps you can take to protect yourself from identity theft. To learn more, you can go to the FTC’s websites at www.identitytheft.gov and www.ftc.gov/idtheft; call the FTC at (877) IDTHEFT (438-4338); or write to: FTC Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580.

   You may contact the consumer reporting agencies at:

   • Equifax: (800) 525-6285; P.O. Box 740241, Atlanta, Georgia, 30374; or www.equifax.com.
   • Experian: (888) 397-3742; P.O. Box 9701, Allen, TX 75013; or www.experian.com.
   • TransUnion: (800) 916-8800; Fraud Victim Assistance Division, P.O. Box 2000, Chester, PA 19022; or www.transunion.com.

4. Additional Rights Under the FCRA

   You have rights pursuant to the Fair Credit Reporting Act, such as the right to be told if information in your credit file has been used against you, the right to know what is in your credit file, the right to ask for your credit score, and the right to dispute incomplete or inaccurate information. Further, pursuant to the Fair Credit Reporting Act, the consumer reporting agencies must correct or delete inaccurate, incomplete, or unverifiable information; consumer reporting agencies may not report outdated negative information; access to your file is limited; you must give your consent for credit reports to be provided to employers; you may limit “prescreened” offers of credit and insurance you get based on information in your credit report; and you may seek damages from violators. You may have additional rights under the Fair Credit Reporting Act not summarized here.

   Identity theft victims and active-duty military personnel have specific additional rights pursuant to the Fair Credit Reporting Act. We encourage you to review your rights pursuant to the Fair Credit Reporting Act by: (i) visiting https://files.consumerfinance.gov/f/documents/bcfp_consumer-rights-summary_2018-09.pdf (PDF); or (ii) by writing to Consumer Financial Protection Bureau, 1700 G Street, N.W., Washington, DC 20552.

5. Request Fraud Alerts and Security Freezes.

   You may obtain additional information from the FTC and the credit reporting agencies about fraud alerts and security freezes. You can add a fraud alert to your credit report file to help protect your credit information. A fraud alert can make it more difficult for someone to get credit in your name because it tells creditors to follow certain procedures to protect you, but it also may delay your ability to obtain credit. You may place a fraud alert in your file by calling just one of the three nationwide credit reporting agencies listed above. As soon as that agency processes your fraud alert, it will notify the other two agencies, which then must also place fraud alerts in your file.

   To place a fraud alert, call any one of the three major credit bureaus at the numbers listed below. As soon as one credit bureau confirms your fraud alert, they will notify the others.

   • Equifax
   • P.O. Box 105788
   • Atlanta, GA 30348
   • www.equifax.com/personal/credit-report-services/credit-fraud-alerts/
   • (800) 525-6285

   • Experian
   • P.O. Box 9554
   • Allen, TX 75013
   • www.experian.com/fraud/center.html
   • (888) 397-3742

   • TransUnion LLC
   • P.O. Box 6790
   • Fullerton, PA 92834-6790
   • www.transunion.com/fraud-alerts
   • (800) 680-7289

   If you are very concerned about becoming a victim of fraud or identity theft, you may request a “Security Freeze” be placed on your credit file, at no charge. A security freeze prohibits, with certain specific exceptions, the consumer reporting agencies from releasing your credit report or any information from it without your express authorization. You may place a security freeze on your credit report by contacting all three nationwide credit reporting companies at the numbers below and following the stated directions or by sending a request in writing, by mail, to all three credit reporting companies:

   • Equifax Security Freeze
   • P.O. Box 105788
   • Atlanta, GA 30348
   • www.equifax.com/personal/credit-report-services/credit-freeze/
   • 1-800-349-9960

   • Experian Security Freeze
   • P.O. Box 9554
   • Allen, TX 75013
   • experian.com/freeze
   • 1-888-397-3742

   • TransUnion Security Freeze
   • P.O. Box 2000
   • Chester, PA 19016
   • www.transunion.com/creditfreeze
   • 1-888-909-8872

   In order to place the security freeze, you will need to supply your name, address, date of birth, Social Security number and other personal information. After receiving your freeze request, each credit reporting company will send you a confirmation letter containing a unique PIN (personal identification number) or password. Keep the PIN or password in a safe place. You will need it if you choose to lift the freeze.

   If your personal information has been used to file a false tax return, to open an account or to attempt to open an account in your name or to commit fraud or other crimes against you, you may file a police report in the City in which you currently reside.

   If you do place a security freeze prior to enrolling in the credit monitoring service as described above, you will need to remove the freeze in order to sign up for the credit monitoring service. After you sign up for the credit monitoring service, you may refreeze your credit file.

Back to top

I qualify for 2-years of free credit monitoring and have signed up for that service. Once the two years is over, will I continue to be charged for this service?

No, the complimentary credit monitoring and identity protection services will automatically cease for any individual once their free 24-month service period concludes. To continue using the service, the individual will need to take additional action to maintain their customer status.

Back to top

Contact/For More Information

Individuals are encouraged to contact Maine's dedicated call center to find out if their data was involved or if they have questions about this incident. The phone number is (877) 618-3659, with representatives available from Monday to Friday, 9 AM to 9 PM ET. If it is determined that an individual’s Social Security number or taxpayer identification number is involved, the call center will provide the individual with a complimentary credit monitoring code.

Individuals who receive a code for credit monitoring may enroll in the services by calling (866) 622-9303. Representatives are there to assist you from Monday to Friday, 8 AM to 11 PM ET, and on Saturday from 9 AM to 6 PM ET.

Adults may also enroll online by visiting https://app.identitydefense.com/enrollment/activate/stme. Minors may be enrolled online by visiting https://app.minordefense.com/enrollment/activate/stemd. Remember to have your code handy when you're ready to enroll.

The State will keep this dedicated website up to date with the latest information relating to this incident. We encourage you to visit frequently.

View the official press release.

Back to top