The Department of Human Services’ Salem headquarters. (Mark Miller/Pamplin Media Group)
SALEM – A phishing scheme that successfully compromised 2 million emails from the Oregon Department of Human Services accounts targeted more than 400 accounts at two major state agencies.
Nine employees in four units of Human Services departments inadvertently gave hackers access to their accounts, said agency spokesman Robert Oakes.
A screenshot of the email that was sent, which the Oregon Capital Bureau received from the Department of Human Services.
Oakes said Friday that the state still hasn’t established how many state clients’ information was accessed. The agency was required by state statute to notify the public because of the potential for it to impact at least 350,000 people.
The breach occurred in late January but state officials didn’t disclose it until Thursday, attributing the time lag to work needed to assess what happened.
The state has retained an outside firm for $480,000 to do a forensic examination of the breach and help impacted clients. That contract provides for service covering a breach impacting up to one million people, according to the contract with IDExperts of Portland. The firm’s contract would be boosted if its investigation determines more than one million had their data exposed, according to the contract. DHS provides services to 1.6 million people.
As of Friday, IDExperts were operating a call center and website to provide information to potential victims of the hack.
IDExperts is required to give DHS frequent updates on its findings and security recommendations. It’s forensic examination will determine what personal information was available to the hackers, how much was taken and how many people are impacted. That is expected to take two weeks, according to the contract.
Elizabeth Craig, spokeswoman for the Department of Administrative Services, said the state has used IDExperts for several years for such work. The Department of State Lands and the Department of Revenue both experienced data breaches in 2018.
The details of the attacked files are still not clear. Oakes said that on Jan. 8, 429 employees at Human Services and the Oregon Health Authority received an email stating their Outlook email account had expired and they had to reregister. The email, provided Friday to the Oregon Capital Bureau, included a link. Thirty-six DHS and OHA employees clicked the link. Nine then entered their username and password, giving the hackers access to their accounts.
Those accounts were immediately frozen by state IT workers. By Jan. 28, DHS established that the hack exposed personal information.
On March 15, it contacted IDExperts about a forensic review, according to the contract, and the agreement was finalized Tuesday. DHS sent out a news release announcing the breach Thursday. Oakes couldn’t provide details on why it took nearly two months from the time the department realized the breach included personal information to the time it notified the public.
The employees caught in the attack worked in the child welfare, self-sufficiency, aging and people with disabilities and vocational rehabilitation programs. Collectively, their accounts contained 2 million emails, which included spreadsheets with personal information, such as dates of birth and Social Security numbers.
All 8,500 DHS employees go through training to avoid being caught in such hacks, though they are not always effective. On Thursday, Oakes said “human error” was at play but also said the attack was very sophisticated.
Reporter Aubrey Wieber: [email protected] or 503-575-1251. Wieber is a reporter for Salem Reporter who works for the Oregon Capital Bureau, a collaboration of EO Media Group, the Pamplin Media Group, and Salem Reporter.
TRY A FREE SAMPLE – You can see for yourself the kind of local news reporting brought to you by the team of professional reporters at Salem Reporter. You can read us for free for 30 days. Signing up is easy and gives you 24/7 access to our reports. Sign up HERE.
