Wednesday, August 15, 2018

Alaska DHSS Breach: Trouble in the North

Most states have an agency, under various names, whose responsibility is to assist the citizens and the public when this is needed. This may be in the form of financial assistance, vouchers, or a combination of these. As part of the duties, the staff have to collect data on each person. This is part of the natural standard operating procedure for the service. This personal data has value in various circles.

A recent issue involves the state of Alaska’s Division of Public Assistance. On April 26 or 30, 2018, a Division of Public Assistance was found to have an unauthorized program on it. Normally, this is not the optimal situation, however, this does happen. The opportunity for an issue increases substantially when the program/software was not only unauthorized but unintentional. In this case, the company just happened to be infected with Zeus. Zeus, curiously enough, was coded to steal confidential, sensitive information from the infected system. This data and information were exfiltrated to systems in Russia.

This data included the person’s name, date of birth, social security number, pregnancy status, death records, health billing, driver’s license number, phone number, and Medicaid/Medicare billing codes for those estimated 500 persons affected, living throughout northern Alaska. This basically included most of the data you would need to take over someone’s identity.

The attack vector for this generally has been from a phishing email. The sender historically has been from a government agency or large corporation. The agency did report this, as required by Federal statute, and published a press release on the internet.

Lessons to be Applied
 With organizations consisting of multiple sites, the lack of complete communication can provide for certain issues. This hindrance should however not be a roadblock. As an example, after the Western Region detected the compromised system after the incident response was nearly or completely done, a follow-up announcement should have been made and training now and with regularity to reinforce what can happen when staff simply clicks. This example of what occurred in the region and also what people will now have to go through should provide the real-life examples to motivate people to do better. This would reinforce what can actually happen


Resources
Brooks, J. (2018, June 28). Security breach: Hackers access alaskans’ information from computer. Retrieved from http://juneauempire.com/news/state/2018-06-28/security-breach-hackers-access-alaskans-information-state-computer

Downing, S. (2018, June 28). State security breach put public assistance info at risk. Retrieved from https://mustreadalaska.com/state-security-breach-put-public-assistance-info-at-risk/

Freed, B. (2018, June 29). Alaska public assistance agency disclosed data breach from trojan horse virus. Retrieved from https://statescooop.com/alaska-public-assistance-agency-discloses-data-breach-from-trojan-horse-virus

Kirby, D. (2018, June 28). Alaska DHSS data stolen in april hack. Retrieved from http://www.ktuu.com/content/news/Alaska-Dept-of-Health-and-Social-Services-data-targeted-in-April-hack-486879811.html

State of Alaska Department of Health & Social Services. (2018, June 28). HIPAA and APIPA breach notification. Retrieved from http://dhss.alaska.gov/News/Documents/press/2018/2018-HIPAA-Breach.pdf

No comments:

Post a Comment