Data breach

A successful phishing scheme compromised 2 million emails from the Oregon Department of Human Services.

A phishing scheme that successfully compromised 2 million emails from Oregon Department of Human Services accounts targeted more than 400 accounts at two major state agencies.

Nine employees in four units of Human Services departments inadvertently gave hackers access to their accounts, said agency spokesman Robert Oakes.

Oakes said Friday that the state still hasn’t established how many state clients’ information was accessed. The agency was required by state statute to notify the public because of the potential for it to impact at least 350,000 people.

The breach occurred in late January, but state officials didn’t disclose it until Thursday, attributing the time lag to work needed to assess what happened.

The state has retained an outside firm for $480,000 to do a forensic examination of the breach and help impacted clients. That contract provides for service covering a breach impacting up to one million people, according to the contract with IDExperts of Portland. The firm’s contract would be boosted if its investigation determines more than one million had their data exposed, according to the contract. DHS provides services to 1.6 million people.

As of Friday, IDExperts were operating a call center and website to provide information to potential victims of the hack.

IDExperts is required to give DHS frequent updates on its findings and security recommendations. Its forensic examination will determine what personal information was available to the hackers, how much was taken and how many people are impacted. That is expected to take two weeks, according to the contract.

Elizabeth Craig, spokeswoman for the Department of Administrative Services, said the state has used IDExperts for several years for such work. The Department of State Lands and the Department of Revenue both experienced data breaches in 2018.

The details of the attacked files are still not clear. Oakes said that on Jan. 8, 429 employees at Human Services and the Oregon Health Authority received an email stating their Outlook email account had expired and they had to reregister. The email, provided Friday to the Oregon Capital Bureau, included a link. Thirty-six DHS and OHA employees clicked the link. Nine then entered their username and password, giving the hackers access to their accounts.

Those accounts were immediately frozen by state IT workers. By Jan. 28, DHS established that the hack exposed personal information.

On March 15, it contacted IDExperts about a forensic review, according to the contract, and the agreement was finalized Tuesday. DHS sent out a news release announcing the breach Thursday. Oakes couldn’t provide details on why it took nearly two months from the time the department realized the breach included personal information to the time it notified the public.

The employees caught in the attack worked in the child welfare, self-sufficiency, aging and people with disabilities and vocational rehabilitation programs. Collectively, their accounts contained 2 million emails, which included spreadsheets with personal information, such as dates of birth and Social Security numbers.

All 8,500 DHS employees go through training to avoid being caught in such hacks, though they are not always effective. On Thursday, Oakes said “human error” was at play but also said the attack was very sophisticated.

People who are worried their information was involved can call 800-792-1750 or visit http://ide.myidcare.com/oregonDHS for help.

Reporter Aubrey Wieber: aubrey@salemreporter.com or 503-575-1251. Wieber is a reporter for Salem Reporter who works for the Oregon Capital Bureau, a collaboration of EO Media Group, the Pamplin Media Group, and Salem Reporter.

Locations

Recommended for you

(0) comments

Welcome to the discussion.

Keep it Clean. Please avoid obscene, vulgar, lewd, racist or sexually-oriented language.
PLEASE TURN OFF YOUR CAPS LOCK.
Don't Threaten. Threats of harming another person will not be tolerated.
Be Truthful. Don't knowingly lie about anyone or anything.
Be Nice. No racism, sexism or any sort of -ism that is degrading to another person.
Be Proactive. Use the 'Report' link on each comment to let us know of abusive posts.
Share with Us. We'd love to hear eyewitness accounts, the history behind an article.