Insurance Fraud NEWS
Massive DHS data breach raises questions about Oregon’s cybersecurity protocols
June 24, 2019, Salem, OR
A January data breach at the Department of Human Services exposed the confidential information of an eye-popping 645,000 Oregonians.
Those people whose personal data was compromised were left with many questions. But the massive breach raised an even bigger question for everyone else:
What are state officials doing to protect the information stored on government computers about virtually everyone in Oregon?
State officials say they are working to address the problem, in particular with a new agency that provides data tracking and training, among other cybersecurity initiatives. Yet despite that work -- and procedures in place within individual agencies -- the security lapses continue.
And instead of disciplining employees at fault, state officials say they focus on training.
Unfortunately for consumers, training doesn’t prevent mistakes that can bring a lifetime of hassle.
What’s particularly alarming about data breaches, whether in the public or private sector, is how released information can be used to create bank and credit accounts, said Charlie Fisher, state director of the Oregon State Public Interest Research Group, or OSPIRG, a consumer advocacy group based in Portland.
Discovering a breach, he said, doesn’t eliminate the harm to consumers.
“Especially if it’s something like a Social Security number, it’s out there forever,” Fisher said. “It can follow someone for the rest of their life.”
Identifying the problem
A 2014 hack at the Oregon Employment Department that affected more than 851,000 people exposed the vulnerability of the state’s massive data storage systems.
It was one of the larger breaches in recent history. And one of the more expensive to address.
The department spent $1.9 million on the clean-up -- including postage for letters to notify people and provide them with identity theft and credit monitoring, according to a statement provided by the agency.
After the 2014 breach, the employment department hired an outside contractor to find vulnerabilities in its systems, said Bill Truex, the department’s chief information officer. He said the identified risks have been fully addressed.
Gov. Kate Brown issued an executive order in 2016 -- followed up with a law in 2017 -- mandating that state agencies coordinate both their response to and prevention of cybersecurity concerns. The order created a central state office, the Enterprise Security Office, which works closely with state agencies.
The new security office is overseen by the state’s chief information officer. Since its creation, the office has implemented annual mandatory cybersecurity trainings for state employees who work for agencies that answer to the governor, including the Department of Human Services and the employment department. Before that, state agencies implemented their own training and security measures.
The security office also started a statewide simulation to educate employees about phishing, said Joseph Wells, a state spokesman.
Even with training, attacks happen
The governor’s Enterprise Security Office is working to centralize and tighten the state’s data security measures. The office has implemented mandatory training and looks for vulnerabilities in state systems.
But hackers keep attacking. And sometimes, they find success.
Many breaches occur when employees click on links in emails from an outside source, unknowingly giving the sender access to their account, a practice known as “phishing.” But in February 2018, a tax agency employee copied 36,000 Oregonians’ tax data, including Social Security numbers, and stored that information on a personal cloud account.
The DHS breach happened when nine employees clicked suspicious links and exposed information about hundreds of thousands of people helped by the agency. Employees had received cybersecurity and privacy training, including about phishing, before the breach.
Employees at the Oregon Health Authority, which shares an information technology department with DHS, also had the training and heard messages about the dangers of phishing before -- and after -- the January breach.
Still, an Oregon State Hospital employee clicked a phishing link in May and potentially exposed the medical data of patients. The Oregon Health Authority is investigating how many people’s information may be at risk, spokesperson Robb Cowie said.
At least five other state entities, including the Oregon Institute of Technology, have discovered data breaches that impact 250 or more people since 2017, according to an Oregon Department of Justice database. The list of agencies includes those that store particularly sensitive information on everything from taxes to health care.
State officials acknowledge their responsibility to safeguard consumer data.
“We recognize we are stewards of protected health information,” Cowie said, “and it’s our job to protect that information.”
DHS spokesperson Christine Stone said training to spot phishing attempts was already included in its mandatory cybersecurity training when their department’s breach occurred in January.
“We credit this training with the fact that recent phishing was sent to thousands of employees, and only nine employees opened the email and clicked on the internet link in the message,” Stone said.
These phishing emails can be difficult to spot when hackers “spoof" accounts, or create emails that appear to be legitimate. In an attempt to combat spoofing, DHS and health authority officials are implementing a system that alerts employees when they receive emails from an outside source.
Such awareness and training is helpful, but scammers can still get through, said Ken Westin, a Portland-based director of security solutions for Elastic, a California tech company.
Best practices call for protocols not only to prevent human error, he said, but also to add another layer of protection when human error occurs.
“There’s no silver bullet to stop it,” he said, “so you need multiple controls in place.”
Multi-factor authentication is the standard for sensitive information, he said. This measure requires a second step -- aside from a username and password -- to access an account. The security measure includes responding to a message on a phone or email before being able to log into an account.
While that doesn’t prevent phishing scams from being clicked, he said, it does prevent scammers from accessing employee accounts.
Terrence Woods, Oregon’s chief information officer, wouldn’t say if Oregon uses multi-factor authentication across state agencies. He said disclosing more details about the state’s technological security response might make the state’s system more vulnerable to hackers.
However, he said, the state is trying to be proactive in the face of regular hacking attempts, even though the deck is stacked against them.
“There are more bad actors than there are people ready to respond to them,” Woods said.
What should you do?
Department of Human Services clients impacted by the January breach will receive letters in the coming weeks to notify them and instruct them on how to access the identity and credit monitoring services the state is providing.
OSPIRG officials say that everyone, whether or not they’re victims of high-profile breaches, should take steps to protect their information as such security breaches occur at a high frequency in business and government.
They recommend everyone to freeze their credit. That step prevents anyone from opening up new account under the consumer’s name unless they have a number provided to them upon activating the freeze.
Source: The Oregonian