Georgia agency, Department of Human Services (DHS) announced on Friday, Oct. 9, a security breach that exposed private information of children, household members, and other personal information.
According to DHS, unauthorized access was discovered between May 3, 2020, and May 15, 2020, through employee email accounts. The agency notified the Georgia Technology Authority and worked together to resolve the issue.
The officials said hackers were able to retain emails from several employee email accounts until Aug. 10, containing the information of children and adults. These emails involved cases of the Child Protective Services (CPS) and DHS’ Division of Family & Children Services (DFCS).
Following the confirmation of the attack, the authorities took down employee accounts, block malicious actors, and made security actions. As of Sept. 21, DHS began tracing malicious movements and identified affected customers whose information is likely accessed.
The information accessed varies by individual, but some of the private information disclosed includes full names of children and household members, a child receiving services, country of residence.
Children’s age, their parents’ phone numbers, email addresses, Social Security numbers, Medicaid identification numbers, medical provider name, and appointment dates are also exposed in the DHS cyberattack.
More than the personal information, medical records and diagnoses, and counseling notes, psychological reports are also accessed by hackers, along with one individual’s bank account number.
DHS also said emails accessed also include information on substance abuse of children and adults in Georgia. Because of this news, the agency is encouraging clients to contact them directly and protect themselves from harm.
Any parents and children involved in a CPS case in the spring can call DHS’ toll-free number at 1-888-304-1021. The call center is available from 9 AM to 4 PM, from Monday to Friday, until Jan. 8, 2021.
The news was televised and caught the attention of security experts, saying phishing is likely the culprit in accessing email accounts. “When hackers send fake emails to tons of email addresses, hoping someone gives over personal information,” said Rafal Los of Lightstream security.
Los said this is an example of a low-sophistication attack on organizations with poor security practices. He added, “Care should be given not just to protect the kids, but protected personnel and highly sensitive information.”
With the recent hacking, the Georgia child services agency will re-run systems and security measures involving over 9,400 employees.