The Weekly breach Breakdown Podcast by ITRC - You Gotta Move - S4E23

Show Transcript

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for August 18, 2023. Thanks to Sentilink for their support of the podcast and the ITRC. Each week, we look at the most recent events and trends related to data security and privacy. This week, we update you on the MOVEit data breach, which has become very complicated and continues to grow.

When we brought you our first episode on the MOVEit data breach in late June, we referenced Hank Williams’s song “Move It On Over”, one of the earliest examples of rock and roll music. We are keeping the song theme going in this episode with “You Gotta Move”, which was initially recorded by various musicians and later popularized by Mississippi Fred McDowell and the Rolling Stones. The MOVEit data breach is becoming as popular as this song, which is not good.

An Update on the MOVEit Data Breach

When we first told you about the MOVEit file transfer attack, the U.S. government had confirmed that multiple federal agencies fell victim to cyberattacks exploiting a security vulnerability in the file transfer tool MOVEit. At the time, some big names affected were PwC and EY. As of June 26, the ITRC tracked 14 organizations impacted by the MOVEit data breach, affecting 14 million people.

Fast forward to August 17, 2023, and the ITRC has tracked 134 U.S. organizations impacted by the data event, either directly or indirectly. (The number of organizations affected worldwide now totals more than 600.) Fifty-five (55) organizations have been impacted directly, and 79 have been affected through a single vendor or multiple vendors.

More companies who are users of MOVEit or who have vendors who use MOVEit software are continuing to issue data breach notices. Sometimes, but not always, the notices include the number of estimated victims. Because the number of impacted companies and people continues to grow, there is currently no highly accurate view of the impact of this attack and the resulting data breaches.

The Latest MOVEit-Related Data Breaches

• The Colorado Department of Health Care Policy and Financing (HCPF) is alerting more than four million people of a data event. The data exposure occurred through IBM, which utilized the MOVEit software. Impacted information includes names, Social Security numbers (SSNs), Medicaid and Medicare ID numbers, clinical data, and Health insurance information.
• New York Life data was exposed in a third-party breach involving MOVEit via vendor Pension Benefit information (PBI). According to PBI’s letter to the Maine Attorney General, the attack exposed 25,685 NYLIC-related individuals. The breach notification indicates that threat actors accessed individuals’ SSNs.
• Over 744,000 people in Indiana were impacted by the MOVEit data breach when the state’s Family and Social Services Administration announced MOVEit software used by a third-party vendor was breached and exposed names, case numbers, addresses, and Medical numbers. The incident occurred via MOVEit software used by Maximus Health Services.

What to Do If You Receive a Data Breach Notice

Follow the advice offered by the impacted company. Freeze your credit to ensure no new credit accounts can be opened in your name. Immediately change your password and switch to a 12+-character passphrase, change the passwords of other accounts with the same password as the breached account, use multi-factor authentication (MFA) with an app – SMS can be spoofed – and keep an eye out for phishing attempts that claim to be from the breached organization.

Contact the ITRC

If you want to know more about how to protect your business or personal information, the MOVEit data breach, or if you think you have been the victim of an identity crime, you can speak with an expert ITRC advisor on the phone, chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Sentilink for their support of the ITRC and this podcast. Next week, we will have an episode of our sister podcast, the Fraudian Slip, breaking down the findings in our 2023 Consumer Impact Report, which will be released on August 23. The report captures the emotional, physical and lost opportunities of identity crime victimization. Some of the findings may make your jaw drop. You will be able to download the report by visiting www.idtheftcenter.org/publications. We will return in two weeks with another episode of the Weekly Breach Breakdown.