Cyberattackers have infiltrated e-mail accounts for about 20 Hennepin County employees since late June, and may have accessed the private information of people who rely on the county's services, county officials revealed Thursday.
Using e-mails disguised as pay-raise notifications, a sophisticated phishing scam duped the employees into giving up their login information, then used their official e-mail accounts and signatures to spread the attack to other contacts, according to county officials.
The county is still investigating what private information may have been exposed.
"We have a dedicated team working on this very issue, going through what could have been in those e-mail boxes," said Jerome Driessen, the county's chief information officer. He said the county generally advises people not to put private information into e-mails.
The county's 9,500 employees block millions of spam e-mails every quarter, said Driessen. He said the county has improved its cybersecurity measures and training in recent years, including conducting simulated phishing attack exercises for employees.
Since discovering the breach, the county has implemented more "best-practice" preventive measures, Driessen said.
Hennepin County has notified its business vendors of the attack and reported it to the FBI, he said.
"Traditionally, IT workers probably never envisioned a day where we'd have to work with law enforcement on these sorts of things, but it's becoming more standard," Driessen said.
The FBI did not return calls for comment on Thursday.