By Brooke Crothers
Published June 20, 2019
Opening a fraudulent email can wreak havoc, as a recent incident in Oregon shows.
This week, the Oregon Department of Human Services (DHS) notified approximately 645,000 clients that their personal information was compromised as a result of a phishing email breach.
Phishing involves sending fraudulent email masquerading as a trustworthy entity in order to steal sensitive information, such as passwords and credit card data. The email typically directs you to a bogus website that looks legitimate.
The email was sent to Oregon’s DHS employees on Jan. 8, 2019. Nine employees opened the email and clicked on a link that allowed the sender to access their email accounts. The next day, the nine employees reported problems, according to an Oregon DHS statement.
By Jan. 28, 2019, access to the nine affected accounts was halted, when a cybersecurity team confirmed that the phishing incident was a data breach, the DHS added.
The result was exposed data – contained mostly in email attachments – that included names, addresses, dates of birth, Social Security numbers, case numbers, personal health information and other information used in DHS programs, the department said.
On March 21, 2019, the public was notified. The department also sent notice to national credit reporting agencies TransUnion, Experian and Equifax.
“The scale of this breach is startling considering it was perpetrated through just nine successful phishing emails,” Willy Leichter, VP at Virsec, told Fox News in a statement.
“Many organizations still rely on the ‘common sense’ of users not to click on phishing attempts, but that’s completely inadequate,” Leichter added.
One thing that stands out, in this case, is the 19-day delay between detecting the phishing attack and shutting down the email accounts, Colin Bastable, CEO of Lucy Security, told Fox News in a statement.
“They were using email as a data storage solution. Why on earth are they sending and saving confidential documents as unsecured attachments via email?” Bastable said.
“The technology, processes and policies exist to prevent this type of breach," according to Bastable, adding that "healthcare is a highly-targeted industry for hacking and phishing because security is poor and the data is very valuable."
Harvested data is sold, repackaged and resold multiple times on the Dark Web. “The 645,000 Oregonians and their families and friends will be compromised and inconvenienced in some manner for years to come," Bastable noted.
The Oregon DHS is providing 12 months of identity theft monitoring and recovery services to affected individuals. That also includes a $1 million insurance reimbursement policy.