The Minnesota Department of Human Resources has suffered a data breach. Reports from yesterday state that an employee of their department fell for a phishing email that gave the attacker access to the employee’s state email account. The account had access to the information of families and people that the department had assisted. The attacker used the account to send out spam emails to contacts on his address book, but the email contents were not released. The department did not know exactly what type of data the attacker accessed or if any data was leaked. The account had access to social security numbers, driver’s license numbers, names, dates of birth and phone numbers. The account has since been secured and they are investigating the breach. Last year, the same department had the information of 21,000 clients stolen. This department provides services to some of Minnesota’s most vulnerable populations, leaving them exposed if this demographic gets compromised.
This is another example of how phishing campaigns can cause problems within an organization. Although it is not confirmed what exactly was stolen in this attack, the potential exists for the attacker to get a lot of information that they would have found useful. Phishing attacks are not going to go away, and it is important that all companies, organizations, and employees receive proper training to identify these messages and delete them. This training should not only take place once–it needs to be done on an ongoing basis to ensure everyone in the organization is refreshing their skills and learning the newest trends in which they may be targeted.