Maine Suspends Data Breach Portal After Fake Disclosures
Maine has taken its public data breach reporting portal offline after fraudulent breach disclosures were published on the state's website. The decision was made after it was discovered that fake data breach disclosures had been submitted to Maine's official breach notification portal impersonating Discord and the multiplayer social virtual reality platform VRChat.
According to a statement published by the Maine Attorney General's Office, data breach "hoaxes" were submitted through the state's reporting system. The statement reads, "The Office of the Maine Attorney General has been made aware of an apparent abuse of our data breach reporting system." After conversations with VRChat, one of the affected companies, it became clear that the reported data breaches were hoaxes submitted by an unknown entity unrelated to either company.
Fake Disclosures Removed from Database
The false reports have been removed from the database, and the Attorney General's Office says it has no knowledge of any recent legitimate data breach reports from either VRChat or Discord. Prior to the shutdown, submitted breach notices were automatically published to the public database.
The Maine Attorney General's Office told BleepingComputer, "We don’t have any independent knowledge of the breaches, the submitting entity fills out the information and it goes directly onto the site. We will review the one you’ve flagged, thank you." The notice states that companies can continue to submit breach notifications through the reporting service, but members of the public seeking copies of disclosures must now contact the Attorney General's Office directly.
Incident Highlights Risks of Automatically Published Breach Disclosures
Maine's data breach portal is commonly used by journalists, researchers, and threat intelligence firms to monitor newly disclosed security incidents and determine whether organizations are reporting cyberattacks or data breaches affecting consumers. The incident demonstrates how automatically published breach disclosures can be abused to spread misinformation and damage a company's reputation.
The fraudulent VRChat filing claimed the company suffered a data breach impacting over 2.4 million people and included a fabricated employee contact name in the disclosure. After BleepingComputer contacted VRChat about the filing, the company confirmed the disclosure was fake and stated it had not submitted the notice to Maine authorities.
Unknown Number of Additional Fraudulent Notices
BleepingComputer also contacted Discord about the fraudulent notice submitted to the site but did not receive a response. It is unclear how many additional fraudulent breach notices may have been submitted through the portal before the state suspended public access to the database.
The incident highlights the importance of verifying the accuracy of breach disclosures before publishing them. By doing so, organizations can prevent the spread of misinformation and protect their reputation. As the Picus whitepaper shows, breach and attack simulation tests can help security teams identify vulnerabilities and prevent attacks from slipping by detection.
- Test every layer before attackers do
- Security teams log 54% of successful attacks and alert on just 14%
- The rest move through your environment unseen
The Picus whitepaper provides more information on how breach and attack simulation can help security teams improve their defenses. By testing their SIEM and EDR rules, security teams can ensure that threats are detected and prevented from causing harm.
Source: BleepingComputer