Phishing scheme gains entry to Oregon DOJ emails
A phishing scheme succeeded in breaking into the email accounts of five Oregon Judicial Department employees, exposing personal information of more than 6,000 people.
A forensic team determined that none of the information has been used in an inappropriate way so far.
The attack occurred at 4:30 a.m. July 15. Within three hours, department staff had closed the breach. In the weeks since, the department hired a forensic team to analyze the impacts of the breach. They found 6,607 people were impacted. Names, birthdates and some financial information were exposed, according to a department news release. In rare cases, health information and social security numbers were exposed.
"We've had instances where people forward tax returns in emails," Acting Deputy State Court Administrator Phil Lemman said. "That's not something we like them to do but it does happen, and in cases like this it can get exposed."
Lemman said originally a private attorney had their email account hacked. The hackers gained access to the attorney's address book, and sent an email to workers in the state court system. That effort gained entry to a Washington County Circuit Court administrative staffer's account. The email was then sent to Judicial Department staff, and five employees took the bait. Lemman said he didn't know if they clicked a link, but said the five entered their usernames and passwords, which hackers were able to access.
Cyber security software caught the intruder quickly, and one employee alerted the department's technical support team, Lemman said.
Lemman said that state law requires the department to alert those who had information compromised within 45 days of the attack, but it also requires the department to identify those people and what information was compromised. That's why the announcement is coming weeks after the attack, Lemman said.
Some of the exposed information belongs to department employees, and some comes from those interacting with the court system. Some of the information deemed "private" by law is also public record, like arrest rosters, he said.
The attackers did not gain access to any of the department's internal systems.
The department is offering victims of the scheme a year of credit and internet monitoring services, an insurance policy reimbursing them for up to $1 million in potential financial damage and identity theft recovery services.
Lemman said the department is not happy to be added to the list of organizations hit by phishing schemes, but he's glad it was caught early and the damage was limited.
You count on us to stay informed and we depend on you to fund our efforts. Quality local journalism takes time and money. Please support us to protect the future of community journalism.