A January data breach at the Department of Human Services exposed the confidential information of an eye-popping 645,000 Oregonians.
Those people whose personal data was compromised were left with many questions. But the massive breach raised an even bigger question: What are state officials doing to protect the information stored on government computers about virtually everyone in Oregon?
Officials say they are working to address the problem, in particular with a new agency that provides data tracking and training, among other cybersecurity initiatives. Yet despite that work — and procedures in place within individual agencies — the security lapses continue.
And instead of disciplining employees at fault, state officials say they focus on training. Unfortunately for consumers, training doesn’t prevent mistakes that can bring a lifetime of hassle.
Data breaches, whether in the public or private sector, furnish information that can be used to create bank and credit accounts, said Charlie Fisher, state director of the Oregon State Public Interest Research Group, a consumer advocacy group based in Portland.
Discovering a breach, he said, doesn’t eliminate the harm to consumers.
“Especially if it’s something like a Social Security number, it’s out there forever,” Fisher said. “It can follow someone for the rest of their life.”
Identifying the problem
A 2014 hack at the Oregon Employment Department that affected more than 851,000 people exposed the vulnerability of the state’s massive data storage systems. It was one of the larger breaches in recent history — and one of the more expensive to address.
The department spent $1.9 million on the cleanup — including postage for letters to notify people and provide them with identity theft and credit monitoring, according to a statement provided by the agency.
After the breach, the employment department hired an outside contractor to find vulnerabilities in its systems, said Bill Truex, the department’s chief information officer. He said the identified risks have been fully addressed.
Gov. Kate Brown issued an executive order in 2016 — followed up with a law in 2017 — mandating that state agencies coordinate both their response to and prevention of cybersecurity concerns. The order created a central state office, the Enterprise Security Office, which works closely with state agencies.
The new security office is overseen by the state’s chief information officer. Since its creation, the office has implemented annual mandatory cybersecurity trainings for state employees who work for agencies that answer to the governor, including the Department of Human Services and the employment department. Before that, state agencies implemented their own training and security measures.
The security office also started a statewide simulation to educate employees about phishing, said Joseph Wells, a state spokesman.
Even with training, attacks happen
The governor’s Enterprise Security Office is working to centralize and tighten the state’s data security measures. The office has implemented mandatory training and looks for vulnerabilities in state systems.
Many breaches occur when employees click on links in emails from an outside source, unknowingly giving the sender access to their account, a practice known as “phishing.” But in February 2018, a tax agency employee copied 36,000 Oregonians’ tax data, including Social Security numbers, and stored that information on a personal cloud account.
The DHS breach happened when nine employees clicked suspicious links and exposed information about hundreds of thousands of people helped by the agency. Employees had received cybersecurity and privacy training, including about phishing, before the breach.
Employees at the Oregon Health Authority, which shares an information technology department with DHS, also had the training and heard messages about the dangers of phishing before — and after — the January breach.
Still, an Oregon State Hospital employee clicked a phishing link in May and potentially exposed the medical data of patients. The Oregon Health Authority is investigating how many people’s information may be at risk, spokesperson Robb Cowie said.
At least five other state entities, including the Oregon Institute of Technology, have discovered data breaches that impact 250 or more people since 2017, according to an Oregon Department of Justice database. The list of agencies includes those that store particularly sensitive information on everything from taxes to health care.
State officials acknowledge their responsibility to safeguard consumer data.
“We recognize we are stewards of protected health information,” Cowie said, “and it’s our job to protect that information.”
DHS spokesperson Christine Stone said training to spot phishing attempts was already included in its mandatory cybersecurity training when their department’s breach occurred in January.
“We credit this training with the fact that recent phishing was sent to thousands of employees, and only nine employees opened the email and clicked on the internet link in the message,” Stone said.
Awareness and training is helpful, but scammers can still get through, said Ken Westin, a Portland-based director of security solutions for Elastic, a California tech company.
Best practices call for protocols not only to prevent human error, he said, but also to add another layer of protection when human error occurs.
“There’s no silver bullet to stop it,” he said, “so you need multiple controls in place.”
Multifactor authentication is the standard for sensitive information, he said. This measure requires a second step — aside from a username and password — to access an account. The security measure includes responding to a message on a phone or email before being able to log into an account.
While that doesn’t prevent phishing scams from being clicked, he said, it does prevent scammers from accessing employee accounts.