Minnesota’s Department of Human Services (DHS) headed by its Commissioner Tony Lourey has issued a document to both houses of Congress detailing its data breach happened with the department affecting 11,000 people. It only took the hackers to persuade a DHS employee in opening an “invoice” email, and the department normally receives 92,500 phishing/spam emails for the last five months. It only shows that it only takes one less informed employee opening a malicious email to cause infiltration in a network at the expense of thousands of user data.
“During this cyberattack, the hacker used the state email account of an employee in our Direct Care and Treatment administration to send legitimate-looking emails to one of the employee’s co-workers. The hacker would have had the ability to view, download or otherwise obtain some of the account’s contents during this cyberattack. DHS is unable to identify what, if any, information was viewed or obtained by the hacker. After the DHS employees reported the suspicious emails to MNIT, it took action to secure the compromised account and investigate the incident,” explained the Commissioner Tony Lourey.
DHS itself has no capability to track down and identify all people whose personal files have been breached, hence the department hired an external team in order to handle the complexity of tracking down the potential victims. The 3rd party team is mandated to contact all victims and offer them help by March 21, 2019.
“At the time it was compromised, the account contained various types of personal information about DHS’ clients, employees and applicants, including but not limited to first and last names, dates of birth, contact information, treatment data and legal history. The account also contained Social Security numbers of two individuals at the time it was compromised; it did not contain any financial account information,” added Lourey.
DHS has acquired a new cybersecurity tool that they claim will block future cyber attacks by hardening their system. The department is also aware that their current IT policies were very lenient, and it is now undergoing a major audit, new IT policies will be rolled out that will prevent major cyber attacks in the future.
“This cyberattack is an assault on our efforts in state government to provide quality services to Minnesotans in need. We pledge to do everything we can to uphold the privacy of the Minnesotans who receive services through our programs. We apologize for any concern or other negative impact due to this incident. We will also post information about this incident in our website http://mn.gov/dhs and prepare a report about this incident. We sincerely regret this data security incident,” said Lourey.
In support of the DHS’ desire to improve their cybersecurity arrangement, Minnesota’s Chief Information Security Officer has been ordered to harden DHS’ systems in order to keep intruders from successfully pulling off a phishing attack again.
“With further investment, we can improve our ability to detect and deflect e-mail-based and other kinds of cyberattacks in the future to bring those numbers down,” said Aaron Call, Minnesota’s CISO.