Email phishing scheme tried to snag hundreds of state workers
SALEM — A phishing scheme that successfully compromised 2 million emails from the Oregon Department of Human Services accounts targeted more than 400 accounts at two major state agencies.
Nine employees in four units of Human Services departments inadvertently gave hackers access to their accounts, said agency spokesman Robert Oakes.
Oakes said Friday, March 22, that the state still hasn't established how many state clients' information was accessed. The agency was required by state statute to notify the public because of the potential for it to impact at least 350,000 people.
The breach occurred in late January but state officials didn't disclose it until Thursday, attributing the time lag to work needed to assess what happened.
The state has retained an outside firm for $480,000 to do a forensic examination of the breach and help impacted clients. That contract provides for service covering a breach impacting up to one million people, according to the contract with IDExperts of Portland. The firm's contract would be boosted if its investigation determines more than one million had their data exposed, according to the contract. DHS provides services to 1.6 million people.
As of Friday, IDExperts were operating a call center and website to provide information to potential victims of the hack.
IDExperts is required to give DHS frequent updates on its findings and security recommendations. It's forensic examination will determine what personal information was available to the hackers, how much was taken and how many people are impacted. That is expected to take two weeks, according to the contract.
Elizabeth Craig, spokeswoman for the Department of Administrative Services, said the state has used IDExperts for several years for such work. The Department of State Lands and the Department of Revenue both experienced data breaches in 2018.
The details of the attacked files are still not clear. Oakes said that on Jan. 8, 429 employees at Human Services and the Oregon Health Authority received an email stating their Outlook email account had expired and they had to reregister. The email, provided Friday to the Oregon Capital Bureau, included a link. Thirty-six DHS and OHA employees clicked the link. Nine then entered their username and password, giving the hackers access to their accounts.
Those accounts were immediately frozen by state IT workers. By Jan. 28, DHS established that the hack exposed personal information.
On March 15, it contacted IDExperts about a forensic review, according to the contract, and the agreement was finalized March 19. DHS sent out a news release announcing the breach March 21. Oakes couldn't provide details on why it took nearly two months from the time the department realized the breach included personal information to the time it notified the public.
The employees caught in the attack worked in the child welfare, self-sufficiency, aging and people with disabilities and vocational rehabilitation programs. Collectively, their accounts contained 2 million emails, which included spreadsheets with personal information, such as dates of birth and Social Security numbers.
All 8,500 DHS employees go through training to avoid being caught in such hacks, though they are not always effective. On Thursday, March 21, Oakes said "human error" was at play but also said the attack was very sophisticated.