Worm steals data from unemployed in Massachusetts

Share this article:
The personal information of up to 210,000 individuals who had recently filed unemployment insurance claims in Massachusetts is at risk after a worm spread through the network of the state's labor department, officials revealed this week.

The Massachusetts Executive Office of Labor and Workforce Development said a newly discovered variant of the Qakbot worm infected computers in its Unemployment Assistance and Career Services departments, as well as machines in its One-Stop Career centers across the state. Names, Social Security numbers, employer identification numbers, email addresses, residential or business addresses and bank information may have been compromised.

Qakbot, first identified in 2009, records a user's keystrokes, saves them to a file on the infected machine, then attempts to send the file back to attackers, John Glennon, CIO for the labor department, told SCMagazineUS.com on Wednesday. Its goal is to obtain personal and banking information.

The infection was first discovered on April 20 after the help desk began receiving calls from users who complained that their computers were acting strangely, Glennon said. Network managers immediately began working to eradicate the infection. It was subsequently learned, however, that initial efforts to remove the virus were not entirely successful and that data had left state systems.

Upon discovery of the  leak, “the system was shut down and the breach is no longer active,” the labor department said in a statement.

The actual number of victims is unknown but, as a measure of precaution, the state is notifying all unemployment insurance claimants, Glennon said.

Those who have done business between April 19 and May 13 at the Unemployment Assistance or Career Services departments, or at a state career center, are possibly affected, the agency said. Additionally, approximately 1,200 Massachusetts businesses that file quarterly statements using agency computers may be at risk.

“I apologize to our customers and recognize that this is an unwanted problem,” Labor and Workforce Development Secretary Joanne Goldstein said in a statement. “We are hopeful that the actual impact on residents and businesses is minimal.”

Agency computers were infected with a variant of the worm that was not detected by the department's endpoint security product, from Symantec, Glennon said. Officials believe the virus made its way onto state systems after an employee or career center visitor clicked on a malicious link.

“I believe we did everything we could to keep virus signatures current and protect our environment against an infection like this,” he said. “But we were still infected and breached.”

The agency now plans to reassess its security defenses, Glennon added.

“We are going to work with the state security office and Symantec to ensure we are optimally configured and protected in the correct ways,” he said.

According to Symantec, Qakbot spreads through network shares and removable drives. The worm, which contains functionality that allows it to evade detection, attempts to steal information, open a backdoor on compromised computers and download additional files.

An investigation into the breach is ongoing, Glennon said. The agency has notified state and federal agencies, including the attorney general's office and FBI.

Share this article:

Sign up to our newsletters

More in News

Community Health Systems faces lawsuit related to data breach

The suit claims the hospital operator failed to meet security standards to protect the personal information belonging to patients.

Norwegian oil companies targeted in string of attacks

More than 300 companies are being warned to check their systems after at least 50 oil companies confirmed that their systems were attacked.

Possible payment card breach at Dairy Queen stores

Several financial institutions are reporting payment card fraud activity on credit and debit cards used at various Dairy Queen stores around the country, according to Brian Krebs.