Maine has taken its public data breach reporting portal offline after revelations of the alleged fraud were published on the state’s website, prompting a review of procedures to prevent future abuses.
Yesterday, BleepingComputer reported that a fake data breach disclosure was submitted to Maine’s official breach notification portal that makes Discord and its multiplayer virtual reality platform.
At the time, VRChat told BleepingComputer that the file was fake and had been sent using a fictitious employee name.
In a statement published Friday, the Maine Attorney General’s Office acknowledged that the data breach was “false” submitted through the state’s reporting system.
“The Maine Attorney General’s Office has been notified of a misuse of our data breach reporting system,” the statement read.
“After discussions with VRChat, one of the two affected companies, it has become clear that the reported data breach was a hoax posted by an unknown entity unrelated to any company. These false reports have been removed from the website. We are not aware of any recent official reports of data breaches from VRChat or Discord.”
The Attorney General’s Office says it has now temporarily disabled public access to the breach notification database while it revises reporting procedures to reduce similar abuses in the future.
Prior to the closure, posted infringement notices were automatically published on a public website.
“We have no independent knowledge of the violation, the sending organization fills out the information and goes directly to the site. We will review the flagged, thank you,” the Maine Attorney General’s Office told BleepingComputer.
The notice says companies can continue to submit breach notices using the reporting service, but members of the public seeking copies of disclosures should now contact the Attorney General’s Office directly.
Maine’s data breach portal is often used by journalists, researchers, and threat intelligence companies to monitor newly disclosed security incidents and determine whether organizations are reporting cyber attacks or data breaches affecting consumers.
The incident shows how automatically published breach disclosures can be abused to spread false information and damage a company’s reputation.
The fake VRChat file said the company had breached the data of more than 2.4 million people and included the employee’s name in the disclosure.
After BleepingComputer contacted VRChat about the filing, the company confirmed the leak was a hoax and said it had not yet notified Maine authorities.
BleepingComputer also contacted Discord about the fake notification posted on the site but did not receive a response.
It is not clear how many more fake infringement notices may be sent through the portal before the state suspends public access to the website.
Security teams penetrate 54% of successful attacks and monitor 14%. Some walk around the area without being seen.
The Picus white paper shows how breaches and attack simulations evaluate your SIEM and EDR rules so that threats stop slipping through detection.
Get a white paper
