Over 600,000 Oregon residents have been told their personal information may have been compromised after a successful phishing campaign against employees of the state’s Department of Human Services (DHS).
The agency is sending 645,000 clients breach notices following a January 2019 incident, it said in a statement last week.
Nine DHS employees clicked through in a phishing email sent early on in the month, giving hackers access to their accounts.
“Beginning January 9, 2019, these nine employees started reporting problems. All affected accounts were located and access to the nine affected accounts was stopped by January 28, 2019,” it continued. “On January 28, 2019 the department and the Enterprise Security Office Cyber Security team confirmed that the phishing incident was a data breach.”
Although no additional malware was downloaded and no further accounts were compromised, investigators determined that the incident may have exposed as many as two million emails to the attackers.
“Most client information involved in the breach was in email attachments, like reports. The exposed client information includes first and last names, addresses, dates of birth, Social Security numbers, case numbers, personal health information, and other information used in DHS programs,” the DHS notice continued.
“The personal health information includes ‘Protected Health Information,’ or PHI, covered under the Health Insurance Portability and Accountability Act (HIPAA). Not all of these information types was exposed for each person.”
Although the DHS claimed to regularly patch systems, complete independent security assessments and even regularly train staff, the incident highlights the challenge of mitigating the phishing threat.
Verizon claimed in its most recent Data Breach Investigations Report (DBIR) that a third (32%) of breaches were linked to phishing attacks last year.