Maine has taken its public data breach reporting portal offline after fraudulent breach disclosures were published on the state’s website, prompting a review of procedures to prevent abuse in the future.
Yesterday, BleepingComputer reported that fake data breach disclosures had been submitted to Maine’s official breach notification portal impersonating Discord and the multiplayer social virtual reality platform VRChat.
At the time, VRChat told BleepingComputer the filing was fraudulent and had been submitted using the name of a fictitious employee.
In a statement published Friday, the Maine Attorney General’s Office acknowledged that data breach “hoaxes” were submitted through the state’s reporting system.
“The Office of the Maine Attorney General has been made aware of an apparent abuse of our data breach reporting system,” the statement reads.
“After conversations with VRChat, one of two affected companies, it has become clear that the reported data breaches were hoaxes submitted by an unknown entity unrelated to either company. These false reports have been removed from the database. We have no knowledge of any recent legitimate data breach reports from either VRChat or Discord.”
The Attorney General’s Office says it has now temporarily disabled public access to the breach notification database while it reviews reporting procedures to reduce similar abuse in the future.
Prior to the shutdown, submitted breach notices were automatically published to the public database.
“We don’t have any independent knowledge of the breaches, the submitting entity fills out the information and it goes directly onto the site. We will review the one you’ve flagged, thank you,” Maine Attorney General’s Office told BleepingComputer.
The notice states that companies can continue to submit breach notifications through the reporting service, but members of the public seeking copies of disclosures must now contact the Attorney General’s Office directly.
Maine’s data breach portal is commonly used by journalists, researchers, and threat intelligence firms to monitor newly disclosed security incidents and determine whether organizations are reporting cyberattacks or data breaches affecting consumers.
The incident demonstrates how automatically published breach disclosures can be abused to spread misinformation and damage a company’s reputation.
The fraudulent VRChat filing claimed the company suffered a data breach impacting over 2.4 million people and included a fabricated employee contact name in the disclosure.
After BleepingComputer contacted VRChat about the filing, the company confirmed the disclosure was fake and stated it had not submitted the notice to Maine authorities.
BleepingComputer also contacted Discord about the fraudulent notice submitted to the site but did not receive a response.
It is unclear how many additional fraudulent breach notices may have been submitted through the portal before the state suspended public access to the database.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
