You have to classify this one as adding insult to injury:
The Massachusetts state agency responsible for unemployment insurance and employment services admitted yesterday that its servers had been infected by a new strain of a particularly nasty virus that may have allowed attackers to make off with as many as 225,000 records on those receiving unemployment insurance and their former employers.
Records that may have been compromised contain Social Security Numbers, employer identification numbers, confidential work and salary histories, email addresses and street addresses of both the unemployed and former employers.
The Mass. Office of Labor and Workforce Development (OLWD) announced a version of the W32.qakbot virus had been introduced into as many as 1,500 computer terminals, including both those used by employees and those available to job-seekers at local customer-service offices.
The agency shut down external access to infected systems immediately after learning of the infection on April 20. It used software and direct support from Symantec to clean up the virus – successfully, it thought.
Monday the agency discovered the infection had not been eradicated. It respawned, reinfected the agency's computers and kept on about its business until OLWD shut the system down for a more thorough cleaning.
Qakbot is known as being particularly effective at scarfing up detailed financial data from secure systems, most often in banks.
Rather than crack back-end databases itself, Qakbot remains on infected workstations, recording keystrokes to identify and mail home usernames, passwords and any other data used or viewed by workers at an infected workstation.
The extraordinarily unprepared state agency has no way to figure out which records might have been compromised, but warns that anyone who came in to an OLWD office or even phoned one could be at risk if an employee pulled up their personal records at any time during April and May.
Employers who walked in to an OLWD office to file required quarterly employment reports in person – rather than automatically online – may also be at risk.
The agency put up a page with instructions on how clients can protect themselves from identity theft (maybe not go to a state agency?), but gave no information about any new precautions of its own except to promise it had asked the Mass. Attorney General's Cyber Crime Unit, the Office of Consumer Affairs and the FBI to investigate.
On its own account, the agency promised that "all steps possible are being taken to avoid any future recurrence."
It's not surprising OWLD had trouble getting rid of the virus, according to security researcher Roel Schouwenberg of Kaspersky Labs, as quoted by WBUR.org.
“These days, whenever I hear of a big corporate infection that’s very hard to get rid of, and people are struggling, I immediately think of Qakbot,” he said.
The agency is cleaning out its workstations one at a time, but has no estimate for how long that will take.
So. It's good to know that at least it was a quality virus that caused the trouble, rather than the face-palm-inspiring carelessness that allowed the Texas State Comptroller's office to leave unencrypted personal records of 3.5 million people on a public Web server for more than a year.
According to a 2009 study from Ponemon Institute, the threat from both viruses and carelessness is high in government agencies.
Eighty seven percent of IT people in government agencies responding to a survey believe too many people have access to sensitive information that is not required for their jobs.
Seventy-two percent of responding organizations said they can't close down employee access accounts quickly enough to ensure security when someone quits.
Fifty-nine percent or organizations don't have or don't enforce data-access policies; 65 percent don't have enough IT staff to enforce security; 37 percent allow business units with no security responsibility to grant and administer access to secure data.
Only 32 percent said they have good enough visibility across all their accounts to be confident their user access is secure, or at least secure enough to comply with security policies.
Not good. Really bad, in fact. Unfortunately, "really bad" is consistent with the security situation we learn about after nearly every data breach– not only at the organization that's been breached, but the rest of its industry as well.
There's a lot of hand wringing after every new incident. So far no one has come up with a good solution – or even suggested one – that might give potential victims greater control over their own information or more assurance that, if careless caretakers do let sensitive data escape, it will be difficult enough to extract or unencrypt to provide some protection.