Cyberattack hits NJ employee portal holding personal, financial data


By: Dustin Racioppi
Trenton Bureau
USA Today Network - New Jersey

..... Hackers targeted the accounts of about 22 state employees in a cyberattack on a government portal that holds such as Social security numbers, birthdays and pension information, according to state and union officials.
..... The late-January [2021] attack was disclosed to employees and their accounts were "immediately disabled," a spokeswoman for the state Office of Information Technology said.
..... But the extent of the potential damage was still unclear weeks later.
.... "The state identified a relatively small number of user accounts for which the threat actors gained access," spokeswoman Julie Garland Veffer said. "These accounts were immediately disabled, and the state is currently investigating to determine if any sensitive information was accessed."
..... Cyberattacks are a persistent threat to antiquated systems and a lack of standards. The most prominent recent attack was the SolarWinds malware attack that targeted about 250 federal agencies and private businesses.
..... But attacks happen much lower down government ranks, too.
..... Elmwood Park, Fair Lawn and Palisades Park were targeted in 2019, the last of those attacks costing the borough $500,000. that same year, human error at the state Schools Development Authority exposed sensitive employee information.
..... In the latest instance, themyNewJersey portal for state employees was victim to what's known as a credential stuffing attack, using compromised login credentials, according to the Office of Information Technology.
..... Last Year, [2020] the Securities and Exchange Commission warned that it had seen an up-tick in such attacks that "significantly increases various risks for firms, including but not limited to financial, regulatory, legal, and reputation risks, as well as, importantly, risks to investors."
.... ThemyNewJersey portal allows state employees and those enrolled in the pension system to find information such as tax and payroll records, and it stores personal data like email addresses and home phone numbers.
.... Veffer said "unknown threat actors" harvested login credentials form the dark web, then "indiscriminately used" them to portal sues tow-factor authentication and all users are urged to sue it as an added security measure.
..... Veffer did not say exactly how many employees' accounts were accessed, but Patrick Colligan, president of the Policemen's Benevolent Association said about 200 of his members were affected. There are about 65,000 state employees.
..... Colligan is upset by the state's response. He had heard about the attack last week, [03/04/2021] then confirmed it with the governor's office.
..... It's concerning that there was a data breach there and we weren't notified before I checked with the front office," Colligan said. "I would have preferred a mass notification."
..... Murphy's office said affected employees were notified of the breach.
..... The New Jersey State Police Cybercrimes Unit is investigating the attack, Veffer said.

HOME