Oregon DHS Data Breach Compromised 2 Million Emails Hacked
Oregon Department of Human Services (DHS) announced that approximately two million emails were hacked in a January 8 data breach. The hackers gained access to DHS employee emails with a targeted spear phishing attack in which nine employee mailboxes were breached compromising the data from about two million emails and 350,000 clients.
Oregon DHS states that nine employees clicked on a link in a spear phishing email that was sent on January 8, 2019. The email breach followed on January 28 and allowed the hackers to access about two million employee emails that contained the personal data of clients.
The spear phishing email attack allowed hackers to access the personal information of over 350,000 clients in Oregon DHS welfare and children services programs. The emails exposed Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA.) The hacked emails contained data about clients like full names, birthdates, social security numbers, addresses, case numbers, and other personal information used to administer DHS programs.
The passwords of the hacked DHS email boxes were reset to stop the hackers.
What is a Spear Phishing Attack?
A spear phishing email attack is a cybercrime in which a hacker sends phishing emails to targeted individuals. Spear phishing emails are targeted at one or more individuals and use information previously gathered about the recipient. For example, in the case of Oregon DHS, the hackers may have gathered the names and email addresses of employees from their own agency website. The more information a hacker has about the target, the more tailored the email is which makes it more believable. A spear phishing email may address the recipient by their first name and contain other information known about the recipient that was gleaned from a work website, social media, or previous interactions. Spear phishing emails are crafted and focused. They can be a multistep, patient process.
Spear phishing attacks typically send a smaller quantity of emails than seen in a broader phishing email attack.
The hack is a data breach under Oregon’s Identity Theft Protection Act (ORS 646A.600 to 646A.628). Since the number of victims exceeds 350,000 potential victims, notifications were released to the media and on state agency websites. IDExperts is handling the data breach on behalf of DHS and has established a toll-free at 800–792-1750 to assist clients.
Oregon DHS is offering free credit monitoring and identity theft recovery services for people breached but the hackers. Individuals who are part of the data breach will receive a notification through US Postal mail. Consumers have the option to freeze their credit reports for free. Parents may request a credit report freeze for DHS minors under the age of 16.
