By Hillary Borrud

The Oregonian

SALEM — For the third time in a year, state employees are unable to send emails to many people they would otherwise correspond with for work.

The problem originated when an employee’s email account was “compromised,” according to a memorandum sent by the state’s Chief Information Officer Terrence Woods on Thursday. That allowed an outside party to launch an email spam campaign from the state employee’s account, which in turn caused several email providers to blacklist all email addresses containing the extensions @oregon.gov and @state.or.us.

Providers that blacklisted state emails include Outlook, MSN and Hotmail.

“We experienced the same email reputation issue just last month,” Woods wrote.

Similarly, the state’s @oregon.gov email extension was blacklisted by email providers in June, after a state employee clicked on a phishing email and a malicious party was able to send out more than 8 million spam emails from the account.

Email breaches occurred at the Department of State Lands, which manages its own email system, and the Department of Energy, which uses centralized state technology services, Department of Administrative Services spokeswoman Liz Craig wrote in an email Monday. It was not clear whether all three incidents occurred at the two agencies or if a third agency was involved.

Each time the state email system is compromised, the government must work to rebuild the reputation of its email accounts with providers so they will once again accept state emails.

“We believe the issue is resolved, but I am waiting on the official all clear from our IT staff (likely today or tomorrow),” Craig wrote. “In the meantime, employees will have to use other modes of communication (phone) with people who use these email domains and who cannot provide an alternate email address.”

Employees whose emails did not reach their intended contacts will know, because they will receive a bounce-back notification.

Although many state agencies use centralized information technology services from the Department of Administrative Services, some also run their own technology operations. Woods wrote that the state’s centralized technology office “highly recommends that agencies that manage their own email systems require two-factor authentication, limit the use of (Outlook Web Access), or simply not use (Outlook Web Access).”

“In addition, the (centralized technology office) is working with agency email administrators with email-hardening guidelines and real-time phishing scam information,” Woods wrote.

Craig wrote in an email that the centralized technology office “has published an information security awareness video series” that every agency is required to use to educate state employees on email security. Employees at most state agencies are required to go through annual information security trainings, and the state sends out updated “security awareness” materials to them on a quarterly basis.

22836719