The personal information of over 645,000 Oregonians who signed up for benefits with the state's Department of Human Services (DHS) was inadvertently exposed to hackers after nine DHS employees were fooled by phishing emails.
The phishing attack happened on January 8, 2019, according to a news release from the Oregon DHS this week.
Starting the next day, the nine employees who fell for the phishing attack began experiencing problems with accessing their email accounts.
A subsequent investigation discovered the phishing incident. DHS staff secured accounts by January 28, a full 20 days after hackers first got in.
The DHS and the Enterprise Security Office Cyber Security team said that the intruders had access to over two million emails. The emails contained file attachments with the data of over 645,000 Oregonians who had enrolled at one point or another for various benefits.
It is unclear if the hackers accessed and downloaded any of the user data. The department made the breach public in March and has started notifying all impacted DHS patients this week.
Affected users will receive an email with info on the incident and instructions on how to enroll in a free program that provides 12 months of identity theft monitoring and recovery services.
But the Oregon DHS is not the only institution that has fallen for a phishing attack this year. The Australian Catholic University also suffered a data breach after employees also fell for a phishing attack last month. Attackers got away with staff bank accounts details, email, and calendars.
Phishing is one of the oldest tools in hackers' arsenals, and after all these years, still the most effective one. If you'd like to know more, you can read this ZDNet guide on phishing.
More data breach coverage:
- Mermaids transgender charity data breach exposed confidential emails
- EatStreet food ordering service discloses security breach
- Ad agency leaks data on US military veterans' combat injuries
- NASA hacked because of unauthorized Raspberry Pi connected to its network
- Desjardins, Canada's largest credit union, announces security breach
- Meds prescriptions for 78,000 patients left in a database with no password
- Facebook passwords by the hundreds of millions sat exposed in plain text CNET
- The largest cybersecurity breaches of the past three years TechRepublic