A cyber-security breach at Oregon’s State Accident Insurance Fund Corp. may have exposed confidential information of more than 1,750 people.
The information, including the individuals’ names and Social Security numbers, was compromised on Nov. 3 when a hacker gained access to a SAIF auditor’s email account. That account contained emails which included personal information on employees for six companies that get their workers’ compensation insurance through the quasi-public agency.
Among those affected are some substitute teachers and school classified workers in the Portland metropolitan area.
As of late Jan. 3, there had been no reports of identity theft as a result of the attack, said Lauren Casier, a SAIF spokeswoman.
“SAIF is diligent about protecting the confidential information that is shared with us,” Bruce Hoffman, the company’s vice president of underwriting, wrote in a letter to affected employees. “We deeply regret that this incident has occurred. We are reviewing what needs to be done to avoid any recurrence.”
Employees were notified in late December that their confidential information may have been exposed. The seven-week delay resulted from the time needed to manually review email folders and attachments to identify what personal information was contained and to compose a letter to employees, Casier said.
The affected employees work at six companies that buy insurance from SAIF, including EMS SubDesk, a Beaverton company that provides substitute teachers and classified workers to several charter schools in Multnomah and Washington counties. Katey Thomas, EMS SubDesk’s registered agent, did not return a telephone call from the Pamplin/EO Capital Bureau seeking comment on the data breach. A call and email to the company’s general mailboxes also were not returned.
On Wednesday, Casier declined to release names of companies affected by the breach, citing a state public records disclosure exemption.
The Capital Bureau independently obtained a letter about the cyber-security failure that identified EMS SubDesk.
Casier did identify the other companies’ location and line of work. They are:
• A home health care provider in Beaverton.
• A construction company in Portland.
• An agriculture company in Dayton.
• A construction company in Hillsboro.
• A construction company in Beaverton.
One of the policyholders may have had financial account information exposed in the attack, and that policyholder has been notified, she said.
SAIF is required by law to request payroll information from policyholders as part of its premium audit process. While the request does not include Social Security numbers, employers sometimes provide that information as part of the payroll information, Casier said.
Upon learning of the hack on Nov. 3, SAIF officials immediately disabled the auditor’s email accounts and reported the cyber-security breach to the FBI, the Oregon Department of Justice and consumer-reporting agencies Equifax, Experian and TransUnion.
SAIF also retained CSIdentity to provide employees of the policyholders with credit monitoring and credit restoration free of charge for a year, Casier said. Employees have until March 31 to sign up.
Data breaches have affected high-profile companies such as Target and Equifax, the latter of which may have exposed private information of half of Americans.
“Sensitive data can easily be the target of attacks; they should be well protected via … encryption, so that even if an attacker broke into an account and stole the data, they still cannot decrypt it,” said Jun Li, a computer science professor and director of the University of Oregon’s Center for Cyber Security and Privacy.
Oregon state agencies have struggled with cyber security for years. In 2014, hackers gained access to computer systems in the Secretary of State’s office and Employment Department. A year later, the state data center was hit.
A November 2016 audit, overseen by then-Secretary of State Jeanne Atkins, found problems at 13 agencies, concluding that “planning efforts were often perfunctory, security staffing was generally insufficient, and critical security functions were not always performed.”