Uncategorized

Cyber attack halts training for thousands of Oregon state employees

Oregon’s Department of Administrative Services building. (Rachel Alexander/Salem Reporter)

Thousands of state employees across dozens of Oregon agencies are awaiting the reinstatement of Oregon’s online training system after a Christmas Day cyber attack forced the state Department of Administrative Services to pull down the website.

An unknown hacker was caught Christmas Day trying to exploit a previously unknown vulnerability in the state website, state officials said. The attempted breach of iLearnOregon was detected by the state’s cyber security systems and blunted.

No information was compromised, but the training site was shut down until the state and the program vendor — Meridian Knowledge Solutions — can fix the vulnerability and ensure its security.

DAS Communications Director Elizabeth Craig said the agency expects to have the website back in operation next week. 

Craig said the vendor had to design and then test the fix to be sure it didn’t trigger other issues.

“Once that fix was given to the state, we had to install it and perform our own testing to ensure the vulnerability has been addressed and that the application is working properly,” she said. 

But the outage, now going on two weeks, has thrown into disarray the training schedules of various state agencies. 

According to Michael Beagen, state Department of Corrections training coordinator, more than 5,000 corrections employees and contractors are waiting to complete 17 online courses that were scheduled the last two weeks. An additional 21 courses for basic corrections training are currently unavailable, and the shutdown prevents the agency from submitting rosters for classroom trainings required to certify new corrections officers. 

The agency was to be conducting in-service training this week that included a 12-hour block for online courses. Since the trainings were unavailable, security employees had to either use vacation time to await the training or return to work at their respective facilities. 

“Due to the nature of our business, this is often the only time our security staff can complete the training online due to work assignments within our institutions,” Beagen said. “This will have a prolonged impact, as a future relief factor will need to be implemented in order for those staff who were unable to complete their online training during their in-service week will need to be relieved from posts in order to do so.”

Another 200 corrections employees couldn’t finish a pair of courses that were mandatory for all state employees to complete by Dec. 31. The Department of Administrative Services initially extended that deadline to Jan. 7 and now has set a Jan. 31 date.

At the Oregon Health Authority, more than 4,000 full and part-time employees are waiting to take four required training modules. Those trainings cover Oregon ethics law, public records, security and privacy awareness, as well as module for human resources and managers on domestic violence, harassment, sexual assault and stalking. 

Contact reporter Sam Stites: [email protected] or 971-255-3480.