This was reported by local Minneapolis news yesterday afternoon:
A data breach last year at the Minnesota agency that oversees the state’s health and welfare programs may have exposed the personal information of approximately 11,000 individuals.
The state Department of Human Services (DHS) notified lawmakers Tuesday that an employee’s e-mail account was compromised as a result of a cyberattack on or about March 26, 2018. A hacker unlawfully logged into a state e-mail account of a DHS employee and used it to send two e-mails to one of the employee’s co-workers, asking that co-worker to pay an “invoice” by wiring money.
Dan Tuchler, CMO at SecurityFirst:
“In this era where breaches can contain hundreds of millions of records, does it matter that just 11,000 individuals have been put at risk? It most certainly does, if you are one whose personal, private data has been exposed. In this case the hacker did not succeed in his attempt, but thousands of people now have had their personal data exposed and it can never be made private again. Some governmental agencies are taking action – like the EU’s GDPR. The need for broader government regulation for data security is long overdue.
Securing data requires many different actions – from encrypting data at the source, to training users to spot attacks. In this case the well-trained and astute workers reported the request to wire money – defeating the hacker, this time.”
Colin Bastable, CEO at Lucy Security:
“They don’t say whether or not the invoice was paid, but one could surmise that the attack was only discovered as a result of the accounts department querying the payment.
State and local governments are highly susceptible to phishing attacks, as we see from the rolling spate of SamSam ransomware attacks. This looks like a business email compromise (BEC) attack, which takes more planning than a standard phishing attack but can be very profitable, generating on average $140,000 per incident. BEC attackers steal around $6 billion annually, recently growing at around 25% annually.
The victims of successful BEC attacks are usually in positions of authority, well-meaning and highly motivated to “do the right thing,” responding well to deliver results under pressure. Even a simple, one-off email spoofing attack can be highly effective. Strong financial controls and constant training are key defenses.”