One of the last things they needed: Minnesota Department of Human Services Phished
The state agencies tend to be in a rather unique circumstance. The revenue source is relatively stable year after year. Their circumstances are not like a retailer which can have a sale and generate additional revenue/income periodically through the year. On the other side are the expenses. These generally increase annually at various levels based on the products or services. Inflation does not stop, increasing the expenses or inputs to the product or service. The municipality or state, if there were to begin to be a shortfall, would need to be creative or raise taxes, which tends to be very unpopular. This leads to various issues and cost-cutting. These measures may be in training for the staff, or may take the form of the inverse with the agency not being fiscally able to train their staff on certain measures, e.g. phishing awareness training. Recently an expensive issue arose during the state of Minnesota Department of Human Services.
With many industries and businesses across the nation, phishing continues to be an issue, and successful for the attackers. This was also recently the case with the Minnesota Department of Human Services. In this specific circumstance, the department was the victim of a successful phishing attack. With this attack, all it takes is one person in the correct department, and the successful attack is completely able to stop workflow. In this case, two employees clicked on the phishing link or attachment. This successful attack was on two employee email accounts. This allowed, once the email accounts were compromised, the attackers access to the confidential data held within. The department had the opportunity to work through this in the summer of 2018, specifically on June 28th and July 9th.
In this issue, the circumstances warrant a simple, yet direct question. The first attack was noted, managed, and worked through by the department, management, and the IT department. This was a rather significant issue and took a mass amount of time and resources to analyze, review, and remediate issues (if done correctly). As this was the case, and the total cost was more than minimal, the circumstances would appear to warrant additional training so it would not occur again. Curiously though, there was a second successful phishing attack. This also occurred very soon after the first successful attack. It almost seemed as though the IT security team did not notice the first attack.
Once the 2nd attack was detected, naturally the account email was secured. As with any phishing attack, this did not involve only focusing on one user. There were many others who were targeted during the phishing campaign.
As noted the state of Minnesota Department of Human Services was targeted. The department stores a mass amount of data on thousands of persons. This data is communicated throughout the department from user to user, through the different systems, and through various other channels. This data, while used day in and day out by the users, almost desensitized to its pertinence, has intrinsic value to attackers. This is marketable to many other, unauthorized persons across the globe.
Unfortunately for the department, there was data accessed. This data included the client’s social security numbers, medical information, employment records, and their financial details. Other information, while marketable but on a second tier but useful, included the person’s full names, telephone numbers, and addresses. This is still pertinent although the attackers could gather this information from other sources with moderate ease.
While the emails were accessed, the department was not able to fully verify the data had been exfiltrated or not. Although bad enough operationally and the far-reaching effects, this could have been much worse. It is notable the state was unsure if the data had been exfiltrated. The attackers would not have gone through the full operation and effort of the full attack cycle to compromise the emails just to note they did it. The attackers treat this like a business. The more probably result is the attackers accessed and exfiltrated the data for their use or to sell this.
As the PHI was involved, the department was required to notify the persons affected by the oversight. The notifications had to be done by October 9th. There was a significant level of forensic work involved with this. The attackers would have compromised the email system, exfiltrated what they could from here, and attempted to pivot to other systems to further gain access into the systems. The department appears to have a systemic issue, as evidenced by the two attacks, which were proximate. There should be additional training as to phishing awareness. Resources
Brown, D. (2018, October 12). Minnesota department of human services issues notice to residents after data breach. Retrieved from https://www.clinical-innovation.com/topics/privacy-security/minnesota-dhs-issues-notice-residents-data-breach
Davis, J. (2018, October 12). Two phishing attacks on Minnesota DHS breach 21,000 patient records. Retrieved from https://www.healthcareitnews.com/news/two-phishing-attacks-minnesota-dhs-breach-32-patient-records
HIPAA Editor. (2018, October 12). Phishing attacks on minnesota dhs potentially compromised phi of 21,000 patients. Retrieved from https://www.hipaanswers.com/phishing-attacks-n-minnesta-dhs-potentially-compromised-phi-of-21000-patients/
HIPAA Journal. (2018, October 12). Minnesota dhs notifies 21,000 patients that their PHI has potentially been compromised. Retrieved from https://www.hipaajournal.com/minnesota-dhs-21000-patients-phishing-attack/
Rodgers, B. (2018, October 11). Minnesota DHS subject to two data breaches, officials say. Retrieved from https://kstp.com/news/minnesota-dhs-subject-to-two-data-breaches-officials-say/5104784/
Schubert, K. (2018, October 18). Phishing scam hits minnesota state agency: 21,000 accounts affected. Retrieved from http://www.brainerddispatch.com/news/government-and-politics/4516152-phishing-scam-hits-minnesota-state-agency-21000-accounts
Smith, K. (2018, October 12). About 21,000 minnesotan’s information affected in data breach from department of human services. Retrieved from http://m.startribune.com/about-21-000-minnesotans-information-affected-in-data-breach-from-department-of-human-services/497266381
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.