The personal information of over 645,000 Oregonians who signed up for benefits with the state's Department of Human Services (DHS) was inadvertently exposed to hackers after nine DHS employees were fooled by phishing emails.
The phishing attack happened on January 8, 2019, according to a news release from the Oregon DHS this week.
Starting the next day, the nine employees who fell for the phishing attack began experiencing problems with accessing their email accounts.
A subsequent investigation discovered the phishing incident. DHS staff secured accounts by January 28, a full 20 days after hackers first got in.
The DHS and the Enterprise Security Office Cyber Security team said that the intruders had access to over two million emails. The emails contained file attachments with the data of over 645,000 Oregonians who had enrolled at one point or another for various benefits.
It is unclear if the hackers accessed and downloaded any of the user data. The department made the breach public in March and has started notifying all impacted DHS patients this week.
Affected users will receive an email with info on the incident and instructions on how to enroll in a free program that provides 12 months of identity theft monitoring and recovery services.
But the Oregon DHS is not the only institution that has fallen for a phishing attack this year. The Australian Catholic University also suffered a data breach after employees also fell for a phishing attack last month. Attackers got away with staff bank accounts details, email, and calendars.
Phishing is one of the oldest tools in hackers' arsenals, and after all these years, still the most effective one. If you'd like to know more, you can read this ZDNet guide on phishing.