Cyber Incident Victim: Workforce Safety & Insurance
Date:
Jun 2015
Location:
United States of America
Summary
A North Dakota state agency experienced a server breach involving unauthorized access to approximately 43,000 incident reports and 13,000 payroll records containing personal identifiers such as social security numbers, names, employer details, and medical information. The compromise affected individuals who submitted online reports during a multi-year period prior to the discovery. Following detection of unusual server activity by the state's IT department, forensic analysis found no evidence that the data was copied or transferred externally. The agency established a dedicated call center and offered affected individuals complimentary identity repair services for one year as a precautionary measure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In June 2015, the North Dakota Information Technology Department (ITD) detected unusual activity on a server operated by the Workforce Safety & Insurance Institute (WSI), a state agency responsible for workers' compensation. The ITD engaged the Multi-State Information Sharing and Analysis Center, a federal cybersecurity partner, to conduct additional forensic testing on the compromised system. WSI officials were formally notified of the breach on June 10, 2015, following this investigation. Analysis revealed unauthorized access to approximately 43,000 workers' compensation incident reports and 13,000 payroll reports submitted electronically between 2006 and 2013. These documents contained sensitive personal information including full names, Social Security numbers, employer details, and medical data related to workplace injury claims. The breach scope was limited to reports submitted through WSI's online systems during the seven-year window, excluding paper submissions or records outside this timeframe. Authorities emphasized forensic examination found no evidence that attackers successfully copied or transferred any data from the compromised server prior to detection.
WSI implemented a response plan that included establishing a dedicated call center to field inquiries from potentially affected individuals. The organization offered one year of complimentary identity repair services through a third-party provider to all individuals whose information resided on the breached server. State investigators reiterated throughout their communications that no forensic evidence suggested actual exfiltration or misuse of the exposed data, though they acknowledged the theoretical risk posed by the unauthorized access. The disclosure maintained transparency about the types of compromised records while specifying the temporal boundaries of affected submissions. No ransomware deployment, financial theft attempts, or subsequent fraudulent activity tied to the breach were documented in official statements following the incident.