State Agencies, Department of Human Services Offices, Being Hit Hard by Phishing Scams
State executive agencies, namely Department of Human Services offices, have increasingly found themselves the victims of successful phishing scams.
Executive agencies, namely State Departments of Human Services, have proven to be low hanging fruit of late for attackers looking to siphon sensitive information via phishing schemes.
The Minnesota Department of Human Services (DHS) announced this week that one of its employees had their email account hijacked in March 2018, presumably via a phishing attack, and that the incident potentially exposed data on 11,000 individuals.
Once the attacker gained access to the account, they used the state email account of an employee in the department's Direct Care and Treatment administration to send legitimate looking emails to another co-worker, including one requesting they pay an invoice via wire transfer. While the co-worker identified the email and didn't wire any money, they still had access to view and download items in the email account, including information about the DHS' clients, employees, and applicants, like first and last names, dates of birth, contact information, treatment data and legal history, along with the Social Security numbers of two individuals.
The IT organization for the state of Minnesota, Minnesota IT Services, told the department that it's unclear if the attacker viewed or stole any data from the account.
Tony Lourey, who took over as the state’s new DHS commissioner in January, confirmed the incident in a letter to the state senators and representatives on Monday.
Publicly, the March compromise was at least the fourth phishing attack to hit the state's Department of Human Services in 2018, preceding attacks in June, July, and September. Neither of the investigations around those attacks were able to yield whether the attackers took data, either.
Despite two of the attacks happening in June and July, they weren't discovered until August 13; Minnesota's DHS went on to disclose the attacks and their scope to the public in October.
Those attacks appear to be more severe than March’s. Emily Piper, the Minnesota DHS Commissioner told victims in October they may have compromised the data of 21,000 Minnesotans, including their first and last names, dates of birth, Social Security numbers, addresses, telephone numbers, medical information, educational records, employment records, and/or financial information.
In a separate attack in September, hackers were able to phish an employee at the DHS' Children and Family Services division and send out spam messages. While the attacker may have been able to view messages, a disclosure letter published in January doesn't specify what type of information may have been in the victim's e-mail account.
While only a handful of these attacks were made public, MNIT has seen a surge of security incidents of late, including 700 or so - including more than 150 serious phishing attacks - in 2018, according to The Twin Cities Pioneer Press.
“These attacks are becoming more pervasive, and more sophisticated," Aaron Call, the state's chief information security officer told the paper last fall.
The department, at the time, said it teaches its employees about email best practices and uses technology at its disposal to prevent and mitigate data security incidents. It appears it doubled down on that technology that is earlier this year, in February 2019, when MNIT apparently deployed a new cybersecurity tool to block malicious links and attachments in emails for state employees.
It was only two weeks ago that Oregon's Department of Human Services disclosed that it too encountered a phishing attack that compromised sensitive data.
That incident, from January, impacted upwards to 350,000 Oregonians. According to a press release the department issued in March, nine different employees at the department opened a phishing email and clicked on a link that compromised their inboxes, in turn affording an attacker access to two million emails.
The department confirmed that clients' protected health information under the Health Insurance Portability and Accountability Act (HIPAA) - like first and last names, addresses, dates of birth, Social Security numbers, case number and other information used to administer DHS programs - at risk.
Few breaches have rivaled massive incidents like the U.S. Office of Personnel Management's and the South Carolina Department of Revenue's but executive agencies continue to find themselves in the crosshairs of attackers.
While many states have cybersecurity training and awareness programs in place to prevent phishing attacks, not every state has one. A 2018 Deloitte-NASCIO cybersecurity study that interviewed all 50 state CISOs found that only 45 percent of states require that executive employees complete cyber training.