Idaho Hack Less Severe Than Projections Indicated
A recent cyberattack targeting the Idaho Transportation Department did not jeopardize as many truckers’ personal information as originally feared, according to an agency spokesman.
With the help of cybersecurity company CrowdStrike, ITD recently completed a forensic investigation of a department e-mail account that was hacked in mid-December. ITD spokesman Vincent Trimboli said that an e-mail account registered to an agency employee was hacked through a phishing scam. When the account was hacked, 35 e-mails were opened. There were 21 attachments contained in those e-mails, five of which were opened.
The e-mail account contained the personally identifiable information (PII) of 89 customers, but ITD does not know how many of those customers were referenced in the 35 opened e-mails.
“We don’t know, of those 35 e-mails that were opened, if they were just from one of those 89 customers or 35 different customers or three of those customers,” Trimboli said. “[For] anybody who had PII in that box, we’re sending them a letter and in the letter we’re telling them what happened.”
Additionally, ITD is offering the potentially affected customers a one-year membership for a credit-monitoring product.
Trimboli described the 89 affected customers as third-party companies that were working with the individual whose e-mail account was hacked. The customers represent five states other than Idaho.
ITD initially projected that a larger swath of individuals and companies were affected by the breach. Gov. C.L. “Butch” Otter issued a press release Feb. 12 stating that the hacked e-mail account contained 318 driver’s license numbers, 400 Social Security numbers or employee ID numbers, 999 credit card numbers and 11 bank account numbers.
Trimboli explained that the department cast a wide net with its initial estimates and noted that a single individual’s information could have be duplicated multiple times in the projected totals. ITD has determined the breach was smaller than originally estimated and has concentrated its efforts on notifying people who may have been affected.
“What we kind of learned is it’s less about how many numbers and more about letting the people know that could’ve been in harm’s way. The ‘how many’ is less important than the ‘who is it,’ ” Trimboli said. “For us, the important part is finding out who could be affected and letting them know that as soon as we could.”
Although reluctant to speculate on what the hacker would do with the stolen information, Trimboli said it is unlikely that the messages contained proprietary information that could be used to alter trucking operations. He said it is more likely that the messages contained information necessary for permitting processes.
Ross Froat, director of engineering and information technology for American Trucking Associations, said that a hacker could potentially use personal information to interfere with individual drivers but could not commandeer the operations of an entire company.
“The state DOT doesn’t have any regulation over what [truckers are] allowed to haul and where to haul it. They just need to know who in their state is driving a commercial vehicle,” Froat said. “Let’s say the hacker acquired 100 fleets in Idaho and all of their driver records and information — then they could individually mess with those drivers.”
The 89 letters ITD sent to entities that may have been affected follow 140 warning notifications the agency’s Division of Motor Vehicles issued to individuals and companies as their investigation was ongoing.
Trimboli said that no one has approached ITD saying they believe their company has been hacked or their information has been compromised. Similarly, an Idaho Trucking Association spokeswoman said that none of its members has approached them with concerns over identity theft.
“ITD is taking additional measures to harden our cybersecurity defenses against another attack and ensure that the personal information of citizens is protected,” State Information Security Director Jeff Weak said in the governor’s press release issued Feb. 12.
One of these additional measures is a feature on agency e-mails that notifies people if the message is from an external source. Trimboli said the agency also will continue to host yearly seminars which train employees on cybersecurity precautions.
“It helps because now people are going to think twice. We’re educating our employees about this so they become even more vigilant. I think it’s a really good reminder and a great education tool,” Trimboli said. “We have communicated to our employees about what happened to use this as a reminder to be as vigilant as possible. This is a great opportunity for our employees to understand that we can’t let our guard down.”
