The biggest security breach of the year has affected 60 million people so far, including customers of Delaware’s biggest bank, M&T Bank.
The hack dates back to the end of May, TechCrunch said, with experts saying that the hackers knew about the vulnerability in the MOVEit software as far back as 2021.
Cl0p, a ransomware group linked to Russia, claimed responsibility for the hacks, TechCrunch said.
The biggest leak involves 11 million people serviced by Maximus, a company that manages federal data. The Centers for Medicare & Medicaid Services said the data breached “may have included” basically everything about the health and personal identity of 612,000 current Medicare beneficiaries.
Almost as scary is a letter from Global Atlantic that says they “believe” that the hack included names, Social Security numbers and dates of birth. Global Atlantic’s brands include Accordia Life, Commonwealth Annuity, First Allmercia Finance and Forethought Life. Global Atlantic is offering customers two free years of Experian IdentityWorks.
What happened at M&T
M&T sent out at least two different letters to customers. Both said the hacked information at “external service providers” included names, addresses and account numbers.
The note to those with personal accounts said “no PINs, passwords or other sensitive data, such as Social Security numbers, date of birth or debit/credit card numbers were accessed.”
The note to business accounts said no PINs or passwords were accessed.
M&T’s letter to those with personal accounts offered a free year of credit monitoring from Equifax. Its letter to those with business accounts offered a free year of monitoring by Sontiq, a TransUnion company.
When asked what percentage of accounts were affected, Frank Lentini, senior communications director for M&T, said “We are now directly informing any customers who may have been affected.”
Equifax, TransUnion (based in Chester, Pa.) and Experian are America’s largest credit bureaus.
What you can do
A respected personal-finance website called NerdWallet offers four tips of what to do after a data breach:
- For best protection, freeze your credit.
- Place a fraud alert if you can’t freeze right now.
- Check all three credit bureau reports.
- Watch your credit card activity.
The federal government offers these seven tips to protect your identity.
- Do not answer phone calls, texts, social media messages or email from numbers or people you do not know.
- Do not share personal information.
- Collect your mail every day and <place a hold on your mail when you will be on vacation or away from your home.
- Review credit card and bank account statements. Watch for and report unauthorized or suspicious transactions.
- Understand how ATM skimming works and how to protect yourself.
- Learn when it is safe to use a public Wi-Fi network.
- Store personal information, including your Social Security card, in a safe place. Do not carry it in your wallet.
More on the data breach
Even though the MOVEit hack has affected at least 1,000 organizations, a cybersecurity firm called Emisoft has figured, it has so far gained little attention in traditional American media. It has, however, gotten lots of attention in specialized media.
The number of victims known is growing daily as companies and organizations send out letters to users and report the breach, when required, to various state and federal agencies. About 90% of the victims are based in the United States, according to Emisoft.
“MOVEit is used to ship large amounts of often sensitive data,” Reuters wrote. “Because many of those organizations were handling data on behalf of others, who in turn got the data from third parties, the hack has spiraled outward in sometimes convoluted ways.
“For example, when cl0p subverted the MOVEit software used by a company called Pension Benefit Information, which specializes in locating surviving family members of pension fund holders, they gained access to the data of the New York-based Teachers Insurance and Annuity Association of America, which in turn manages pension programs for 15,000 institutional clients, many of whom have spent the past weeks notifying employees of their exposure.”
Progress Software, the Massachusetts company that makes MOVEit, is silent about the breach on its homepage and the directory of its latest news releases.
Share this Post