A successful phishing scheme has resulted in the compromise of 2 million email accounts belonging to the Oregon Department of Human Services. The incident has affected at least 350,000 people.
What’s the matter - The Oregon Department of Human Services (DHS) announced last week that it had fallen victim to a phishing campaign after nine of its employees inadvertently gave hackers access to their accounts. The data breach occurred on January 8, 2019. However, the intrusion was discovered on January 28, 2019.
“On January 28, 2019, DHS and the Enterprise Security Office confirmed that information may have been compromised through targeted phishing. Nine individual employees opened a spear phishing e-mail and clicked on a link that compromised their email boxes, allowing the malicious sender to potentially access e-mail information,” the Oregon DHS stated, in its notification report.
What data has been compromised - The department is still assessing the extent of the breach. It is still unknown if any personal information has been accessed, viewed or used inappropriately by unauthorized persons.
However, the firm believes that the attackers might have gained access to the personal information of clients receiving services from DHS through the compromised email accounts. The information contained in the emails included DHS clients’ names, addresses, Social Security numbers and dates of birth.
“While access to the e-mail boxes was successfully stopped, it is taking time to thoroughly review the nearly two million emails involved and determine the number of emails that might contain personal information of clients receiving services from DHS,” DHS noted.
What actions have been taken - Upon discovery, the agency was quick at taking action. It immediately blocked access to the affected emails by resetting the passwords. In addition, it has also informed the law enforcement agencies about the incident.
The agency has planned to offer identity theft recovery services for free to potentially affected individuals.
“The security and confidentiality of personal information is critical to DHS. While there is no indication that any personal information was copied from its email system or used inappropriately, the Dept will be offering identity theft recovery services for potentially impacted individuals. DHS is in the process of determining whose information was affected by this breach,” DHS officials wrote.
Once the complete assessment of the incident is finished, the agency will be sending notices to the affected individuals and clients.