The six-month gap between the time Maine officials knew of a state data breach and when they announced that 1.3 million people might be affected by it has drawn criticism from potential victims and at least one industry insider.
But another cyber expert cautioned that the state’s information technology officers had a lot of work to do before making the breach public.
The state had to identify the problem, investigate what happened and make sure the threat was stopped, Marc Bleicher, chief technology officer at Surefire Cyber, a cyber response firm, said Friday in an interview.
Before announcing it to the public, officials “want to make sure that they have all their ducks in a row,” he said.
Government agencies and businesses that are targeted in a cyber attack must work with data privacy attorneys, conduct a “root cause analysis,” learn the full scope of the data that were compromised, work with a “crisis firm” to notify those affected by the hack and respond to internal inquiries, he said.
“I don’t think it harms their credibility at all as long as there’s no legal obligation for them to report in a certain amount of time,” Bleicher said of the six-month delay.
But Arthur House, Connecticut’s former chief cybersecurity officer, said Friday that the time that elapsed before Maine officials publicized the breach was excessive.
“Six months, that’s a long, long time,” said House, who previously headed Connecticut’s utility regulatory agency. “I could see a week to figure it out. Very quickly you owe it to the public, to tell you what happened.”
The Maine attorney general’s website has a section on consumer information related to data breaches, including notification requirements, but it does not address appropriate length of time between discovery of a breach and notifying potential victims.
NOTIFICATIONS BEGIN
The Maine Department of Administrative and Financial Services said Thursday that officials became aware May 31 of a software vulnerability in MOVEit, a third-party file transfer tool owned by Progress Software. That weakness was exploited by cybercriminals who downloaded files belonging to certain state agencies on May 28-29, the state said.
More than 1 million people who had contact with Maine state agencies were affected by the activities of a Russian cybercrime gang, potentially exposing Social Security numbers, dates of birth and other confidential information, state officials said Thursday. The breach was one of several worldwide related to cybersecurity attacks from this Russian cybercrime gang that was running an elaborate extortion scheme.
Inga Sandvoss Browne, an English teacher at Thornton Academy in Saco, criticized the “abysmal time” state officials took to alert the public and state employees. The Department of Education sent a letter to teachers Thursday, the same day the state disclosed the data breach, she said.
“The DOE addressed the letter to ‘Champions of Education,’ but I can tell you that I did not feel like a ‘champion’ yesterday,” Browne said in an email.
The Department of Education said the data involved relates to educator certification, including names, birth dates, and Social Security numbers. No student data were involved and the agency said it’s not aware of any misuse of the data.
Between 10% and 30% of employees at the state Department of Education were affected by the cyber attack, the state said. The breach affected more than 50% of the Department of Health and Human Services workforce.
As soon as the state became aware of the incident, it blocked internet access to and from the MOVEit server and established security measures recommended by Progress Software, state officials said. It hired a lawyer and external cybersecurity experts to investigate the nature and scope of the incident, and what information was involved.
The state said its investigation into the affected files was recently completed. Having assessed the damage, it’s now notifying individuals using various communication channels, including through a nationwide media press release, letter mail and email.
The state will reach out by U.S. mail to those for whom it has addresses, said Sharon Huntley, a spokeswoman for the Department of Administrative and Financial Services. State employees will be contacted by email. Maine employed 13,239 workers last year, according to its annual financial report.
“We’re hopeful that our efforts, such as sending out local and nationwide press releases, putting up a banner on our website and launching a dedicated website, will help spread the word about the cybersecurity incident,” she said Friday in an email.
She referred to the website when asked by a reporter about the delay.
The website, maine.gov/moveit-global-data-security-incident, provides the latest information about the breach. A dedicated call center also has also been established at (877) 618-3659, with representatives available from 9 a.m. to 9 p.m. Monday to Friday.
The state is also offering two years of complimentary credit monitoring and identity theft protection services to people whose Social Security numbers or taxpayer identification numbers were involved.
Send questions/comments to the editors.
Comments are no longer available on this story