A payroll employee at Commonwealth Corporation, a state service contractor, emailed a hacker with the encryption key of a database that contains the payroll data for 164 current and former state employees.
According to State Auditor Suzanne Bump, an audit made by her office has revealed that the Massachusetts-based agency is one of the latest victims of data breaches that have plagued government institutions in the United States. The breach was made public on Tuesday by Bump.
The Commonwealth Corporation, or more commonly known as the CommCorp, is a quasi-public agency in Massachusetts that is dedicated to developing workforce skills training for young people and unemployed workers. It is funded by payments from the state’s unemployment trust fund and has a contract with the state to administer a major workforce grant program.
According to the audit conducted by Suzanne Bump, a hacker impersonating as the Commonwealth Corporation’s president and chief executive officer gained unauthorized access to the organization’s email system last year, March 19, 2018. The clandestine access to the organization’s email system allowed the hacker to get his way into the payroll data and W-2 forms for 164 employees who worked for the corporation between 2008 and 2017.
While the data was encrypted, an unsuspecting payroll employee emailed the encryption key to the hacker, contrary to company policy, thinking that the hacker was the president/CEO of the organization.
The organization then notified state and federal authorities and offered its employees free credit monitoring after the hacking was identified following an attempt of the hacker to transfer $3,500 from an online bank account.
Following the audit conducted by Suzanne Bump, the company said that it has already taken steps to remedy the problem and has distributed updated policies about information technology security to staff and vowed to conduct an annual mandatory training.
“I commend Commonwealth Corporation for its overall response to the hack and for strengthening its cyber security defenses and hope this incident spurs other government and quasi-public agencies to review their defenses against similar phishing attacks,” Bump said in a statement.
While the data breach in Commonwealth Corporation’s server appears to be an isolated case, experts still urge every organization to double up with their cybersecurity mechanism amid the growing number of attacks targeting government institutions.
Early this month, a group of tech experts has identified patterns in the cybersecurity attacks against government systems and huge businesses around the world. In the wake of their announcement that Whitefly, a group of hackers, identified in various high-level attacks in different countries, were the ones responsible for the controversial SingHealth breach, tech experts suggested that the attack on SingHealth is part of a bigger global operation to collect data from government institutions, tech companies, energy and transport orgs, among others.
While Whitefly was solely focused in attacks on Singaporean databases, tech experts argued that they could be part of a global network of hackers – with other members infiltrating systems in other regions with the same goal. They noted that links with the attack in other areas that have used similar attack tools were established through their respective investigations. They announced that the SingHealth breach was related to other operations tapped to launch cyber attacks in telecommunications, defense, and energy in Southeast Asian and Russian territories.
Furthermore, a suspected government database in China was left open online that includes self-identifying data of women including their names, addresses, phone numbers, social security numbers, and “BreedReady” status. The discovery was made by Victor Gevers, a researcher from GDI.Foundation, an organization who have been exposing unprotected databases and data breaches online.
Gevers also discovered two other databases with similar code scheme as the “BreedReady” database and was able to trace the IP address to a university in China. Many have speculated that the databases that Gevers uncovered were part of a bigger data pool kept by local and municipal registries for the purpose of applying for a second child, following the legislation that requires couple to secure a state approval to be able to bear another child.
As the number of government attacks by hackers grow at an alarming rate, tech and cybersecurity experts urged leaders of these organizations to invest in cybersecurity including educating their members and employees on how to manage attacks and what to do in case a breach happens to them. /apr