By Leslie Ballard
A confirmed data breach occurring on February 11 could potentially affect 567 Allegan County employees.
In a February 15 e-mail, Vickie Herzberg, Executive Director of Human Resources for Allegan County, informed employees that “one of our employees fell victim to a social engineering scheme and forwarded W-2 information pertaining to a number of County employees to an unknown and unauthorized third party.”
According to Cisco Systems, Inc., an American multinational technology company, social engineering is not a cyber attach but “is all about the psychology of persuasion. It targets the mind like a con man. The aim is to gain the trust of targets, so they lower their guard and then encourage them into taking unsafe actions such as divulging personal information or click on web links or opening attachments that may be malicious.”
The social engineering incident at Allegan County came in the form of an “email that gave the appearance the request came from an internal employee that is also credentialed to receive the information,” said Herzberg.
One County employee questioned how this could happen, pointing out that any e-mail coming from outside the organization has a highlighted and boxed insert immediately below the subject line that reads “CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.” This employee adds that they have been instructed never to open or respond to an e-mail containing this caution.
In the e-mail to employees, Herzberg stated “at this time there is no evidence any of your personal information has been misused. However, we recommend you remain vigilant against any attempts to compromise your personal information.” Of particular concern is the possibility of tax fraud given that W-2 information was provided. Employees were advised to confer with their tax preparers and/or the IRS to learn what steps to take.
“All impacted employees (current or former) that we had valid email addresses for have received the County’s voluntary email notification,” said Herzberg. Only former employees with reportable wages for 2021 were affected.
“In a typical social engineering attack, a cybercriminal will communicate with the intended victim by saying they are from a trusted organization. In some cases, they will even impersonate a person the victim knows,” according to Cisco, which was apparently the case with the Allegan County breach. The name of the employee responsible is being withheld.
Once the employee reported the breach, the County notified the Michigan Municipal Risk Management Authority, a self-insurance pool that provides liability, property, and data breach coverage to governmental entities throughout Michigan, and the FBI’s Internet Crime Unit.
In a February 16 Q and A document provided to employees, the company announced that they would provide identity protection services from Lifelock for one year and perhaps more. The employees will be responsible for working with Lifelock to subscribe.
One employee who has been a victim of a previous data breach and already subscribes to Lifelock was told that he/she will have to unsubscribe and then sign up again under the County’s plan. “For employees who are already Lifelock members, why not simply reimburse us for what we have paid instead of all of the unsubscribing and resubscribing. More importantly, why doesn’t the County take care of enrolling the employees since we are the victims in this?” the employee asked.
As of Feb. 16, the County was “optimistic that this [establishing the Lifelock subscriptions] will occur next week.”
During a Zoom call with employees on Feb. 18, Rob Sarro, Allegan County Administrator expressed gratitude that the employee who caused the breach came forward, which appears to indicate that such a step is not a required part of the County’s protocol for such incidents.
The impression given to some of those participating in the Zoom meeting was that the employee involved had some personal issues, which may have caused this person to be less diligent. No disciplinary action is planned.
Not all employees agree. “The person that did it should have disciplinary actions. This is the type of situation that calls for more than ‘the person was having a bad day,’” observed one County employee.
According to Herzberg, the “County has provided and will continue to provide Cybersecurity training, including information on data breaches.” According to the County, none of its systems were breached.
While one County employee thought County administration was patting themselves on the back because they did some things they were legally required to do, such as alerting them by e-mail prior to their receiving a letter, another stated “I am not satisfied. I think more could be done.”
County workers were not informed of the number of employees affected.
The County shared additional resources with its employees. These included obtaining an Identity Protection PIN since the breach involved W-2 forms.
Other recommendations consisted of placing a fraud alert on credit files, obtaining free credit report to monitor activity, and requesting a security freeze on credit files.
The downside to the fraud alert is that it may delay the ability to obtain credit, and the security freeze may delay or prohibit the timely approval of applications such as for new loans, credit, mortgages, insurance, rental housing, cellular phone or utility services, Internet credit card transactions and more. A fee may also be charged although that is usually waived if the person requesting it can show proof of being a victim of identity theft.
According to the 2021 Annual Data Breach Report commissioned by the Identity Theft Resources Center, “the overall number of data compromises (1,862) is up more than 68 percent compared to 2020. The new record number of data compromises is 23 percent over the previous all-time high (1,506) set in 2017.”
In a December 2021 article in Security magazine, Maria Henriquez reports “In particular, manufacturing & utilities sector was deeply impacted, with 48 compromises and a total of 48,294,629 victims. The healthcare sector followed, with 78 compromises and more than 7 million victims. Other sectors with more than 1 million victims included financial services (1.6 million victims), government (1.4 million victims) and professional services (1.5 million victims).”
Many high profile companies around the world have been victims of cybercriminals, including Facebook, LinkedIn, USCellular, T-Mobile, Yahoo, Marriott, MySpace, Twitter and Equifax.
Individuals can find preventive assistance through one of the many companies such as LifeLock, Identity Guard and Norton while governmental agencies and companies often hire organizations such as Cisco, IBM and Verizon, who specialize in working with large entities.
“Unfortunately, even with all measures in place, organizations can fall victim to schemes,” observed Herzberg.