All too often when people think of a data breach they immediately expect that payment card data or financial information was stolen from a retailer or other company that handles financial records. However, other types of data can be much more lucrative targets for hackers.
In May of 2014, it was discovered that attackers had access to a server belonging to Montana’s Department of Public Health and Human Services since July of 2013. While this may seem like a long time, it is quite common for highly sophisticated threats to roam free in a computer system for this length of time or even longer.
Who was affected?
It is estimated that 1.3 million people were affected by this data breach. The total population of the state of Montana is a bit less than 1 million however officials have stated that the breach could have impacted people who no longer live in the state as well as the estates of residents who have since passed away.
How did this happen?
On May 15, 2014 information technology employees noticed suspicious activity. After monitoring this, a formal investigation was launched by a third-party organization, Kroll, on May 22nd. The investigators found malware on the server that would allow unauthorized access to the records stored on that server.
How were consumers notified?
When the investigation confirmed that there was, in fact, a data breach, department officials immediately began the process of notifying the 1.3 million people who had information on the server. In addition to mailing letters, the department has set up a toll-free help line for people to ask questions, and they have issued a press release that was posted on their website. So far, less than 200 people have called the help line.
How were consumers impacted?
The server in question was reported to have contained names, addresses, birth dates, Social Security numbers, birth certificates, death certificates and medical records. Additionally, the bank account information of about 3,100 employees and contractors was also stored on the compromised server.
To date, there has been no indication that the hackers actually stole or exposed this information, but the department’s director, Richard Opper, is “erring on the side of displaying an overabundance of caution.”
How was the company impacted?
There were several costs involved in this hack that will impact the state. To begin with, the investigation costs are not cheap. Bringing in a third-party to look for the origin of a breach that has left a system open for almost a year takes a great deal of time, and that is costly.
For those affected by the breach, the state has reached out to offer free credit monitoring and identity-fraud insurance for a period of one year. Of course, should this incident result in any fraud there will likely be legal fees and restitution costs as well.
How can they fix it?
According to the press release issued by the department, additional security software is being purchased to better secure sensitive information. The department is also looking to review their existing policies and procedures to see what can be done to prevent this from happening again.
From a security standpoint, it would be interesting to see what strain of malware was found on the server. If it is one that is well-known, the first step should be to review the processes surrounding anti-virus software updates. Updated software can usually help prevent infections from known malicious software. Another step they should take is to effectively train employees how to spot suspicious activity and how to go about reporting it. Had someone alerted IT sooner, the damage could have been less.