Information for Maine Residents and Impacted Individuals
Maine encourages individuals to take steps to protect their personal information.
Overview
We are sharing information relating to a cyber incident that exploited a vulnerability in a widely used file transfer tool, MOVEit, which is owned by Progress Software. This event has had a global impact, affecting thousands of organizations, including certain agencies in the State of Maine. While impacted individuals may receive notice of this incident separately, we are sharing details broadly on our website. Please visit this website for the latest updates relating to this incident.
What Happened?
On May 31, 2023, the State of Maine became aware of a software vulnerability in MOVEit, a third-party file transfer tool owned by Progress Software and used by thousands of entities worldwide to send and receive data. The software vulnerability was exploited by a group of cybercriminals and allowed them to access and download files belonging to certain agencies in the State of Maine between May 28, 2023, and May 29, 2023.
Importantly, as it pertains to the State, this incident was specific and limited to Maine’s MOVEit server and did not impact any other State networks or systems.
What information Was Involved?
The State of Maine has determined that this incident has impacted approximately 1.3 million individuals, with the type of data affected differing from person to person. The State encourages individuals to reach out to its dedicated call center to verify if they were affected and, if so, to identify what specific data of theirs was involved.
The State of Maine may hold information about individuals for various reasons, such as residency, employment, or interaction with a state agency. The State also engages in data sharing agreements with other organizations to enhance the services it provides to its residents and the public.
The specific information involved in this incident varies based on the individual and their association with the State. However, the following types of information may have been involved: name, Social Security number (SSN), date of birth, driver’s license/state identification number, and taxpayer identification number. In addition, for some individuals, certain types of medical information and health insurance information may be involved.
Why Am I Hearing About This Now?
The State of Maine carried out an extensive evaluation to identify the individuals whose information may have been impacted. This thorough assessment was a critical component of Maine’s response, as it facilitated the State in providing notifications to those who may have been affected. This assessment of the impacted files was recently completed, and, as a result, the State is now actively notifying the impacted individuals through various communication channels, including through a nationwide media press release, letter mail and/or email.
What Did Maine Do to Respond to the Incident?
As soon as the State became aware of the incident, the State took steps to secure its information, including by blocking internet access to and from the MOVEit server. The State also implemented security measures recommended by Progress Software, engaged the services of outside legal counsel, engaged external cybersecurity experts to investigate the nature and scope of the incident, and conducted an extensive investigation to determine what information was involved.
The State of Maine is also offering two years of complimentary credit monitoring and identity theft protection services to individuals whose Social Security numbers or taxpayer identification numbers were involved.
How Do I Find Out if My Information Was Involved?
Individuals are encouraged to contact Maine’s dedicated call center to find out if their data was involved or if they have questions about this incident. The phone number is (877) 618-3659, with representatives available from Monday to Friday, 9 AM to 9 PM ET. If it is determined that an individual’s S
