Cyber Incident Victim: Minnesota Department of Human Services
Date:
Mar 2018
Location:
United States of America
Summary
The Minnesota Department of Human Services experienced a security breach when an employee’s email account was compromised, allowing an attacker to send fraudulent emails requesting wire transfers to coworkers, though no funds were lost due to staff vigilance. While unauthorized access potentially exposed personal information of approximately 11,000 individuals, investigators could not confirm whether data was viewed or misused. The agency emphasized its commitment to privacy and apologized for any concerns arising from the incident, which marked its third security breach within a short timeframe.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around March 26, 2018, the Minnesota Department of Human Services (DHS) experienced a security breach involving unauthorized access to a state email account belonging to an employee within its Direct Care and Treatment administration. The attacker gained control of the account and used it to send two fraudulent emails to the employee’s co-workers, masquerading as legitimate requests to pay an invoice via wire transfer. The targeted employees recognized the emails as suspicious, did not comply with the payment demand, and promptly reported the incident to Minnesota IT Services (MNIT) in accordance with established DHS and MNIT policies. This prompt reporting allowed MNIT to initiate an investigation immediately after detection. The breach notification later confirmed the attacker had potential access to view, download, or otherwise obtain contents within the compromised email account during the intrusion period. Approximately 11,000 individuals’ personal information was identified as potentially exposed due to this unauthorized access.
DHS publicly disclosed the incident in April 2019, notifying state lawmakers and affected individuals. The agency emphasized it could not definitively determine whether the attacker had viewed, downloaded, or misused any personal data from the breached account, though no evidence of such activity was identified. Human Services Commissioner Tony Lourey characterized the incident as an assault on the agency’s mission, apologized for the concern caused, and reaffirmed DHS’s commitment to protecting the privacy of service recipients. The breach marked the third cybersecurity incident at DHS within a span of just over a year, underscoring persistent targeting of government entities by threat actors. Response actions included internal reviews of security protocols and coordination with MNIT, though specific technical containment measures were not detailed in public notifications. The incident highlighted operational risks associated with business email compromise attempts and the reliance on employee vigilance to detect sophisticated phishing tactics.