Cyber Incident Victim: State of New Jersey
Date:
Jan 2021
Location:
United States of America
Summary
A cyberattack targeting a state employee portal compromised approximately 200 employee accounts through credential stuffing, leveraging previously breached login credentials to gain unauthorized access. The impacted portal housed sensitive personal and financial information, including Social Security numbers, birthdates, and pension details. Following the breach, affected accounts were promptly disabled, and impacted individuals were notified by state authorities. The incident underscores vulnerabilities associated with reused credentials and exposed critical employee data to potential misuse.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around late January 2021, unidentified hackers executed a credential stuffing attack against the myNewJersey employee portal operated by the State of New Jersey. The attackers exploited previously compromised login credentials to gain unauthorized access to approximately 200 state employee accounts. This portal housed highly sensitive personal and financial data, including Social Security numbers, dates of birth, and pension-related information. The New Jersey Office of Information Technology (OIT) detected the intrusion and immediately disabled all affected accounts to prevent further unauthorized access. Officials notified impacted employees about the breach but did not publicly disclose the exact timeline between initial compromise and detection. The attack specifically targeted credentials rather than exploiting technical vulnerabilities in the portal's infrastructure.
The incident exposed employees to potential identity theft and financial fraud due to the nature of compromised data. No information was provided regarding whether attackers exfiltrated data or merely accessed accounts. The OIT confirmed the attack methodology as credential stuffing but did not specify the origin of the stolen credentials used in the attack. Union officials were informed alongside affected employees, though specific unions were not named in disclosures. The state implemented account lockdowns as its primary containment measure but did not detail additional remediation steps such as password resets or multi-factor authentication implementation. Financial impacts and operational disruptions beyond account disabling were not quantified in available reports.