About 21,000 Minnesotans’ information affected in data breach from Department of Human Services

October 12, 2018

About 21,000 Minnesotans personal information could have been leaked in a data breach earlier this year, the Minnesota Department of Human Services said Friday.

The state agency first notified people who were affected earlier this week, although the data breach occurred in June and July after hackers were able to access two employees e-mail accounts through phishing campaigns.

We sincerely regret these data security incidents and apologize for any impact they may have on you or your family, Commissioner Emily Piper wrote in a letter to those affected.

The agency said theres no evidence yet that peoples personal information was viewed, downloaded or misused, but hackers could have had access to peoples names, birth dates, Social Security numbers, addresses and telephone numbers.

Its the latest cyberattack on Minnesotas state agencies, which fend off about 3 million cyberattack attempts daily, state officials have said. In fact, attacks are increasing, said Aaron Call, the chief information security officer for Minnesota IT Services, which provides technology services to state executive agencies.

In just the last nine months, more than 700 security incidents have been reported affecting state agencies, Call said, adding that the attacks are becoming more pervasive and more sophisticated.

Weve had a massive uptick in these phishing incidents in the last several months, he said.

While the Department of Human Services (DHS) said its data breach happened June 28 and July 9, Minnesota IT Services didnt notify the department of the breach until Aug. 13. A DHS spokesperson said Friday that the agency has to report breaches no later than 60 days after it learned of the incident. Under a state law adopted several years ago, companies and government agencies are required to notify consumers of all data breaches.

On Friday, state Senate Majority Leader Paul Gazelka said in a statement that there was no excuse for a delay that long in notifying people. He wrote that the breach shows that government cant secure data. Its a recipe for disaster, he added.

Call said Gov. Mark Dayton recommended funding better technology to protect against phishing attacks, but the Legislature didnt fund it.

Certainly technology would have prevented this specific incident, Call said. I dont know if theres anyone more disappointed it took us this long to get to the bottom of these attacks. Sometimes it just takes time.

Call said that, generally, attackers will look to monetize data or use e-mail addresses to send out more phishing attacks. Hackers could also try to reroute paychecks or target government systems to be disruptive.

Were never going to go back to the days of paper. Its always going to be out there, he said of personal data stored electronically. But, he added, Minnesota needs to invest more in preventing and responding to cyberattacks.

This is definitely preventable with more investment, Cal said. Im fighting hard to get us there.

In December, a hacker targeted Explore Minnesota, the states tourism agency, with phony news postings on Facebook. In April 2017, an e-mail spear phishing attack targeted the state Department of Education but was unsuccessful in getting data. And in June 2017, a hacker targeted the University of Minnesotas computer system but didnt access private data, following similar attacks against Minnesota State University, Moorhead, and other state government databases.

DHS is now preparing a full report about the data breach, which is expected to be done by early to mid-November.

Kelly Smith 612-673-4141

Update hourly