The last thing they needed: Alaska DHSS breach
Most states have an agency, under various names, whose responsibility is to assist the citizens and public when this is needed. This may be in the form of financial assistance, vouchers, or a combination of these. As part of the duties, the staff have to collect data on each person. This is part of the natural standard operating procedure for the service. This personal data has value in various circles.
A recent issue involves the state of Alaska’s Division of public Assistance. On April 26 or 30, 2018, a Division of Public Assistance was found to have an unauthorized program on it. Normally, this is not the optimal situation, however this does happen. The opportunity for an issue increases substantially when the program/software was not only unauthorized, but unintentional. In this case, the company just happened to be infected with Zeus. Zeus, curiously enough, was coded to steal confidential, sensitive information from the infected system. This data and information was exfiltrated to systems in Russia.
This data included the person’s name, date of birth, social security number, pregnancy status, death records, health billing, driver’s license number, phone number, and Medicaid/Medicare billing codes for those estimated 500 persons affected, living throughout northern Alaska. This basically included most of the data you would need to take over someone’s identity.
The attack vector for this generally has been from a phishing email. The sender historically has been from a government agency or large corporation. The agency did report this, as required by Federal statute, and published a press release on the internet.
Lessons to be Applied
With organizations consisting of multiple sites, the lack of complete communication can provide for certain issues. This hindrance should however not be a roadblock. As an example, after the Western Region detected the compromised system, after the incident response was nearly or completely done, a follow-up announcement should have been made and training now and with regularity to reinforce what can happen when staff simply clicks. This example of what occurred for the region and also what people will now have to go through should provide the real-life examples to motivate people to do better. This would reinforce what can actually happen
Brooks, J. (2018, June 28). Security breach: Hackers access Alaskans’ information from computer. Retrieved from http://juneauempire.com/news/state/2018-06-28/security-breach-hackers-access-alaskans-information-state-computer
Downing, S. (2018, June 28). State security breach put public assistance info at risk. Retrieved from https://mustreadalaska.com/state-security-breach-put-public-assistance-info-at-risk/
Freed, B. (2018, June 29). Alaska public assistance agency disclosed data breach from trojan horse virus. Retrieved from https://statescooop.com/alaska-public-assistance-agency-discloses-data-breach-from-trojan-horse-virus
Kirby, D. (2018, June 28). Alaska DHSS data stolen in April hack. Retrieved from http://www.ktuu.com/content/news/Alaska-Dept-of-Health-and-Social-Services-data-targeted-in-April-hack-486879811.html
State of Alaska Department of Health & Social Services. (2018, June 28). HIPAA and APIPA breach notification. Retrieved from http://dhss.alaska.gov/News/Documents/press/2018/2018-HIPAA-Breach.pdf
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.