Breach Connected to MOVEit Flaw Affects Missouri Medicaid Recipients
The Missouri Department of Social Services (DSS) has issued an alert urging residents to safeguard their personal information following a cyber-attack originating from a data security breach at IBM Consulting in May 2023.
This breach potentially exposed the identities of numerous Medicaid participants. DSS, responsible for administering Medicaid services in the state, disclosed details surrounding the incident in a press release published on Tuesday.
The breach centered around a vulnerability discovered in Progress Software’s MOVEit Transfer software, a third-party application used by IBM.
“Attack-as-a-service lowered the barrier of entry to sophisticated cyber-attacks,” explained Dror Liwer, co-founder of cybersecurity company Coro. “This means criminals who are not very technical can set their sights on smaller targets and still generate significant ROI on their investment.”
While DSS systems remained unaffected, data belonging to the agency was compromised. Upon notification of the breach, IBM halted the use of the software for investigation and applied necessary fixes.
Read more on the MOVEit flaw: Critical Zero-Day Flaw Exploited in MOVEit Transfer
On June 13 2023, IBM reportedly informed DSS that unauthorized access to files within the MOVEit application had occurred, potentially including Medicaid participants’ protected health information.
“Most of the organizations that were hit by [the] gangs [behind these attacks] had weeks to patch the vulnerability but didn’t respond in time. Untimely patching is the second biggest cause of successful hacking, only behind social engineering,” said Roger Grimes, data-driven defense evangelist at KnowBe4.
“That’s why the security industry is working on something called the Software Bill of Materials (SBOM) […]. The idea is that these types of unpatched vulnerabilities that are used over and over for months and years by attackers become less frequent.”
DSS said it had obtained the accessed files and is presently analyzing their contents. The information involved in the incident includes individual names, department client numbers (DCN), dates of birth, possible benefit eligibility status or coverage and medical claims information.
The agency has started notifying affected individuals and is advising them to monitor their credit reports and take measures to secure their information.
DSS is cooperating with IDX, a ZeroFox Company, to address this issue, establishing a dedicated call center and response website for assistance.