Oregon Employment Dept Breach Affects 850K

Breaches—what more confirmation do we need that they have become commonplace, if not inevitable? With news that the Oregon Employment Department (OED) has identified an intrusion into the agency’s website, the evidence appears to be mounting.

OED responded to an anonymous tip alleging a security vulnerability in the WorkSource Oregon Management Information System (WOMIS), an application that state residents use to register for job search help and other services. The system does not affect the filing of unemployment insurance claims.

The main concern was whether there was a possibility of the attackers retrieving Social Security information. The breach potentially affects 850,000 people.

“The first priority is to secure all personal information, regardless of whether it had been compromised,” OED said in a statement. “Work began immediately—in coordination with the state’s Chief Information Office—to validate the information in the anonymous tip.”

The top was indeed validated, and WOMIS was shut down and quarantined while steps were taken to patch the flaw. OED said that the personal information was then secured to prevent any further threats, and the website was brought back online with added security and a repaired and reinforced WOMIS system.

Now, the OED is working to determine exactly whose information has been compromised and to initiate a criminal investigation.

“We do not know if criminal activity has taken place,” it said. “At the direction of Governor Kitzhaber, law enforcement has been contacted.”

OED is sending out letters to directly notify all customers who are WOMIS participants, and has established a dedicated hotline for inquiries, 1-877-643-4322.

Mark Bower, vice president of product management at Voltage Security, noted that the incident points out the “not if but when” nature of data breach attacks.

“Organizations need to assume they are going to be breached at some point and take a different approach to breach risk,” he told Infosecurity.

That’s especially true as their tactics change. Attackers can run automated scans for weaknesses and known vulnerable software, quickly establishing virtual blueprints of systems to define where to focus to steal the most valuable sensitive data.

“Attackers will conduct virtual raids through botnets or command and control centers, and their partners in crime will look to monetize the stolen information through fraud,” Bower explained.

He added, “It’s a lucrative criminal business and, unfortunately, firewalls and traditional data-at-rest encryption won’t do anything once the attackers or malware are inside live systems like databases as in this case.”

While OED didn’t elaborate on what the ramped-up security measures are that it put in place, Bower noted that the only way to mitigate the threat to data-in-transit information like what gets sent via websites to back-end servers is to neutralize the data in the first place, using more modern data-level encryption.

“This has emerged as the best defense that’s both powerful, and economic,” he said.

What’s Hot on Infosecurity Magazine?