About 21,000 Minnesotans’ personal information could have been leaked in a data breach earlier this year, the Minnesota Department of Human Services (DHS) said Friday.
The state agency first notified people who were affected this week, although the data breach occurred in June and July after hackers were able to access two employees’ e-mail accounts through phishing campaigns.
“We sincerely regret these data security incidents and apologize for any impact they may have on you or your family,” Commissioner Emily Piper wrote in a letter to those affected.
The agency said there’s no evidence that personal information was viewed, downloaded or misused, but hackers could have had access to names, birth dates, Social Security numbers, addresses and telephone numbers.
It’s the latest cyberattack on Minnesota’s state agencies, which fend off about 3 million hacking attempts daily, state officials have said. In fact, attacks are increasing, said Aaron Call, the chief information security officer for Minnesota IT Services, which provides technology services to state executive agencies.
In just the past nine months, more than 700 security incidents have been reported affecting state agencies, Call said, adding that the attacks are becoming “more pervasive and more sophisticated.”
“We’ve had a massive uptick in these phishing incidents in the last several months,” he said.
While the DHS said its data breach happened June 28 and July 9, Minnesota IT Services didn’t notify the department of the breach until Aug. 13. A DHS spokesperson said Friday that the agency has to report breaches no later than 60 days after it learns of an incident. Under a state law adopted several years ago, companies and government agencies are required to notify consumers of all data breaches.
On Friday, state Senate Majority Leader Paul Gazelka said in a statement that there was “no excuse for a delay that long” in notifying people. He wrote that the breach shows that government can’t secure data. “It’s a recipe for disaster,” he added.
Call said Gov. Mark Dayton recommended funding better technology to protect against phishing attacks, but the Legislature didn’t fund it.
“Certainly technology would have prevented this specific incident,” Call said. “I don’t know if there’s anyone more disappointed it took us this long to get to the bottom of these attacks. Sometimes it just takes time.”
Call said that, generally, attackers will look to monetize data or use e-mail addresses to send out more phishing attacks. Hackers could also try to reroute paychecks or target government systems to be disruptive.
“We’re never going to go back to the days of paper. It’s always going to be out there,” he said of personal data stored electronically. But, he added, Minnesota needs to invest more to ward off and respond to cyberattacks.
“This is definitely preventable with more investment,” Call said. “I’m fighting hard to get us there.”
Last December, a hacker targeted Explore Minnesota, the state’s tourism agency, with phony news postings on Facebook. In April 2017, an e-mail “spear phishing” attack targeted the state Department of Education but was unsuccessful in getting data. And in June 2017, a hacker targeted the University of Minnesota’s computer system but didn’t access private data, following similar attacks against Minnesota State University Moorhead and other state government databases.
DHS is preparing a report on the data breach. The report is expected by early to mid-November.