On Thursday, March 21, the Oregon Department of Human Services (DHS) acknowledged that there was a breach of their systems in January, exposing 2 million email messages which may have contained sensitive personal information such as the names, dates of birth, addresses and even case numbers of a currently undetermined number of the 1.6 million who use its services.
DHS is responsible for the state’s foster care, aging and disabilities, and food stamps programs.
According to reporting, nine employees of DHS fell victim to a “phishing” attack. “Phishing” is one of the oldest types of email scams, where a message is made to seem legitimate, but its goal is to harvest login and access information from whoever uses the links inside. DHS says that their employees undergo training to prevent such breaches, but DHS spokesperson Robert Oakes said that “human error” was a factor. Oakes described the attack as “an extremely sophisticated email attack on our system.”
Why DHS took months to report that this major data breach occurred is still unclear. The agency stated that the time gap was to assess the full impact of the attack before disclosing the details. DHS is required by state law to disclose events like this which have the potential to affect at least 350,000 people.
DHS has retained a private firm, IDExperts, to do a “forensic examination of the breach and help impacted clients.” According to a number of statewide news organizations, their current contract, at $480,000, provides for assisting up to one million people, with an option to boost the contract if the exposure is greater than one million people. It is unclear so far whether this means DHS is gearing up to handle a large-scale breach or if they simply want to ensure the breach is handled regardless of its ultimate scope.
This is the latest incident in which DHS has been criticized for a lack of transparency, after a report last month described the conditions Oregon foster children face in private, out-of-state facilities. It is also the latest in a series of data breaches across multiple sectors of the state government. There were security breaches in both the Secretary of State and the Employment Department in 2014, at the state’s data center in 2015, and last year it was revealed that an employee of the state tax agency copied the personal information of 36,000 people.
Do you have a story for The Advocate? Email editor@corvallisadvocate.com