About 645,000 people could have had their personal information pilfered after a January breach at the Oregon Department of Human Services.
The agency said Tuesday that it is providing a year of credit monitoring and an insurance policy covering up to $1 million of money lost per person as a result of the breach.
The department will start sending letters Wednesday notifying people potentially affected.
There’s no evidence, DHS says, that the personal information of any one of those people has actually been acquired improperly and used.
“We know the data breach opened up a window into the system, and allowed the information to be accessible,” said agency spokesman Jake Sunderland. “We don’t know if anyone actually even looked in the window or took something out of it.”
The agency disclosed the breach in March, nearly two months after it was detected.
In January, the technology staff noticed a pattern among the complaints coming in from DHS workers, said Sunderland.
The technology crew determined that those complaints stemmed from an attempt of what’s called “spear phishing.” However, it’s not clear who was attempting the phishing attempt or where they were located.
An email asked recipients to click on a link to log in to their email accounts through a web browser, giving the phisher the ability to get the recipient’s login information and access their email account.
The incident illustrates the scale of the havoc a single cyber-security breach can wreak. Just nine state email users who received the phishing attempt clicked that link.
But those accounts contained 2 million emails that the agency had to scan for sensitive information. That work has taken a team of 70 attorneys and paralegals who parsed each email. Some of those emails had attachments containing potentially sensitive information, according to DHS.