The Oregon Department of Human Services (DHS) has started notifying more than 600,000 people that their personal details have been put at risk after staff were tricked into granting hackers access millions of emails.
According to the agency, the security breach occurred on January 8, 2019 when nine employees clicked on a link in an email that purported to be an official government communication.
The targeted phishing email tricked staff members into entering their passwords, handing what should have been well-protected login credentials to criminals.
On 28 January, the Department of Human Services and the Department of Administrative Services Enterprise Security Office became aware of the security breach after staff noticed their mailboxes had been accessed, and confirmed that the hackers may have been able to access approximately two million emails.
Information inside the exposed emails included sensitive health information, names, dates of birth, social security numbers, addresses, case numbers, and other information.
Most of the client information involved in the breach was in the form of email attachments, such as reports. The personal health information included Protected Health Information (PHI), covered under the Health Insurance Portability and Accountability Act (HIPAA). Not all of these information types was exposed for each person.
The Oregon DHS, which oversees a number of programs including ones related to child welfare, self-sufficiency, the elderly, and people with disabilities, says that it immediately reset staff passwords to prevent further access from the hackers. Oregon State Police were also notified.
However, it has taken some time for affected individuals to be notified that their personal details may now be in the hands of hackers.
In an FAQ, the State of Oregon DHS explains why its investigation took so long:
“With any such event, it takes time to investigate if an incident even occurred, gather the relevant information, identify the affected individuals and make the appropriate decisions to line-up the services that are being offered to identified affected individuals. While access to the email boxes was successfully stopped, it took time to thoroughly review the nearly two million emails involved and determine the number of emails that might contain personal information of clients receiving services from DHS.”
DHS spokesman Robert Oakes described the security breach as “an extremely sophisticated email attack.”
Now clearly Oregon DHS knows more about what happened than I do, but on the face of things – it doesn’t sound that sophisticated to me.
Targeted phishing attacks are commonplace, with emails carefully crafted by online criminals to appear relevant to members of staff, and frequently cloaking their true origin so as to appear to be from a legitimate source.
Although hard to prevent entirely, organisations can reduce the risk of a targeted phishing attack succeeding in a number of ways – including putting rules in place to mark emails that come from outside the organisation, deploying a password manager which refuses to enter passwords on unauthorised sites, and putting multi-factor authentication in place.
The Oregon Department of Human Services is offering identity theft protection to affected individuals.