Phishing scam hits Minnesota state agency; 21,000 accounts affected
ST. PAUL -- Scammers compromised two state email accounts over the summer, giving them potential access to the private information of about 21,000 Minnesotans.
Social Security numbers, medical information, employment records and financial details were compromised in the scam. Basic contact information like full names, telephone numbers and addresses was also affected.
The scams, known as “phishing,” targeted the Department of Human Services and happened on June 28 and July 9. But affected individuals did not find out until Oct. 9.
However, there is no evidence that compromised information has been “viewed, downloaded, or misused,” Commissioner Emily Piper said in a letter to individuals affected by the hacks.
“Because the Minnesota Department of Human Services respects and values the privacy of your personal information, we want you to know about two recent data security incidents that may have resulted in someone accessing your personal information without permission,” the letter said.
The department told people affected by the attacks to keep an active eye on their credit card reports. DHS, which administers social and financial assistance to needy people in the state, said it will release a report on the incidents.
The state’s information technology department, MNIT, was able to eliminate the threat and stop the spread of phishing emails within two hours of finding out about the compromised accounts, said Aaron Call, the state’s chief information security officer.
Phishing is a type of email fraud that tries to trick a person into providing sensitive information like passwords or financial information.
The reason hackers will use the phishing method, MNIT said, is because it is often easier to trick someone into giving up their password or sensitive information than hacking into an entire system.
Common characteristics of phishing emails are:
The appearance of real emails or web pages that contain a familiar company logo;
Too good to be true offerings like prizes or trips;
Requests you act urgently, like time-limited offers, malware infection remedies and account deactivation requiring an immediate login, MNIT said.
Compromised data is usually “used for additional phishing attacks or to log into the victims’ online accounts to steal data, money or cause other mischief,” MNIT officials said.
The attacks are indicative of a growing amount of “constant and invasive” cyber threats, MNIT Commissioner Johanna Clyborne said.
The amount of phishing attacks is trending upward as the attacks become more profitable, Call said. “I see no indication of it slowing down in the near future.”
MNIT officials say recent successful phishing efforts on the Pentagon, Uber, Equifax and Facebook show the severity of these types of attacks.
In the last nine months, MNIT has seen more than 700 security incidents, which included more than 150 “serious phishing attack cases impacting the State of Minnesota,” Call said. “These attacks are becoming more pervasive, and more sophisticated.”
As the threat of these types of attacks increases the state is going to have to give cybersecurity “more attention and unfortunately more of our resources,” Sen. Warren Limmer, R-Maple Grove, said at a committee meeting earlier this week.
Since July, 1,600 phishing messages have been sent to state employees, Call said.
The good news is, Call said, technology exists that can help prevent these types of attempts. However, he said, the Legislature has not approved funding to buy new technology or increase state spending on cybersecurity. Minnesota spends 2 percent, while the industry standard is closer to 8 to 10 percent, he said.
Minnesota IT services is responsible for private data, such as Social Security numbers and banking information, of 5.5 million Minnesotans and it fends off around 3 million data probes every day, according to state officials. With the number of attacks growing and becoming more sophisticated “critical investments cannot wait,” Call said in a statement.
Republicans and Democrats agree that there needs to be more money spent on cybersecurity, but nothing has been able to pass successfully through the Legislature.
To strengthen its cybersecurity without additional funding, MNIT officials said, they “will continue to explore new ways to leverage existing tools.” But they also caution: “Without investment to shore up Minnesota’s security defenses, the ultimate result will be continued attacks and continued security incidents.”
“IT staff can’t prevent anyone from clicking on a link,” Clyborne said. “There is a human element.”
Here is a list that MNIT says to look out:
Links embedded in messages that display a weird address when you hover your mouse over them.
Spelling mistakes and poor grammar.
A vague salutation — something like “Dear valued customer.”
A request for personal or work credentials via email.
Threatening, urgent language.
Attachments in an email that you weren’t expecting.
A vague signature at the bottom of the email that doesn’t contain additional contact information.