[BreachExchange] Hacker breached Minnesota state agency e-mail, placing data of 11, 000 at risk

Thu Apr 11 09:16:54 EDT 2019

http://www.startribune.com/hacker-breached-minnesota-state-agency-e-mail-placing-data-of-11-000-at-risk/508333012/

A data breach last year at the state agency that oversees Minnesota’s
health and welfare programs may have exposed the personal information
of approximately 11,000 individuals.

The state Department of Human Services (DHS) notified lawmakersTuesday
that an employee’s e-mail account was compromised as a result of a
cyberattack on or about March 26, 2018. A hacker unlawfully logged
into a state e-mail account of a DHS employee and used it to send two
e-mails to one of the employee’s co-workers, asking that co-worker to
pay an “invoice” by wiring money.

The agency has no evidence that personal information contained in the
hacked e-mail account was “viewed, downloaded or misused in any way,”
Human Services Commissioner Tony Lourey said in a letter to
legislative leaders on Tuesday. Even so, the hacker would have had the
ability to obtain some of the account’s contents during the
cyberattack, officials said.

“This cyberattack is an assault on our efforts in state government to
provide quality services to Minnesotans in need,” Lourey wrote in the
letter. “We pledge to do everything we can to uphold the privacy of
the Minnesotans who receive services through our programs. We
apologize for any concern or other negative impact due to this
incident.”

The incident is the third data breach in just over a year at DHS, the
state’s largest agency and comes as state agencies face a barrage of
increasingly sophisticated hacking attempts. Over the last five
months, state employees have reported more than 92,500 suspicious
e-mails — an average of over 600 per day — to Minnesota IT Services,
which provides technology services to state agencies. On average,
Minnesota IT Services security staff identifies eight new phishing
websites each day that specifically target state employees, the agency
said.

Last June and July, for instance, hackers accessed the state e-mail
accounts of two DHS employees and used those accounts to send spam
e-mails. In that incident, the personal information of about 21,000
Minnesotans was compromised. Then, last September, a hacker used an
e-mail phishing campaign to gain access to the state e-mail account of
an employee in the Children and Family Services division of DHS. The
hacker used this account to send spam e-mail messages and may have
viewed some of the information contained in the account, according to
DHS notifications.

The latest data breach occurred in the Direct Care and Treatment (DCT)
division at DHS, which provides care to about 12,000 people with
mental illnesses, developmental disabilities and substance abuse
disorders. Once the hacker gained access to the state e-mail account,
the person pretended to be a DCT employee and sent e-mails to the
employee’s co-workers. They quickly recognized that the messages were
suspicious and reported them to Minnesota IT Services.

At the time the cyberattack occurred last March, the compromised
e-mail account contained a wide range of personal information about
DHS clients, employees and applicants, including first and last names,
dates of birth, other demographic data, treatment data and information
about interactions with the agency. The account did not contain Social
Security numbers or financial information. However, it is possible
that, while in the account, the hacker viewed or downloaded some of
the account’s data, officials said.

On Tuesday DHS began sending individual letters to all the people who
may have been affected by the incident.

Responding to the string of cyberattacks, Minnesota IT Services in
February deployed a new cybersecurity tool that blocks malicious links
and attachments in e-mails intended for state employees. This tool
could have prevented many of the breaches at DHS, including the latest
incident. The agency has also revised its policies and procedures to
ensure they can respond more quickly to data security incidents.

“With further investment, we can improve our ability to detect and
deflect e-mail-based and other kinds of cyberattacks in the future to
bring those numbers down,” said Aaron Call, the state’s chief
information security officer.