Cyber Incident Victim: Illinois Department of Innovation & Technology
Date:
May 2023
Location:
United States of America
Summary
A global cyberattack exploiting a vulnerability in third-party MOVEit file transfer software compromised Illinois state data. The incident resulted in the theft of personal information belonging to approximately 390,000 individuals. The state responded by securing its affected systems and offering impacted individuals 12 months of credit monitoring and identity protection services. While the data was stolen, there has been no indication of its fraudulent use. Federal and state authorities continue to monitor the situation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 31, 2023, international hackers launched a coordinated attack targeting large multinational businesses and governments. This global security breach exploited a vulnerability in the MOVEit file transfer application. The Illinois Department of Innovation & Technology (DoIT) was among the many entities affected by this widespread criminal campaign. The attackers gained unauthorized access to files housed by a third-party company that were in the state's possession. The incident was detected promptly, and within hours of the attack commencing, DoIT responded to the security event. The department's initial response involved removing the hackers from the state's systems. This was accomplished by securing the specific servers that had been compromised during the attack. Immediate steps were implemented to protect against future intrusions and to harden the state's digital infrastructure against similar threats.
Following the containment of the immediate threat, DoIT began the meticulous process of assessing the scope and impact of the data breach. Staff worked tirelessly to comb through the stolen information to identify the specific individuals whose personal data was taken by the hackers. This forensic analysis was necessary to determine the exact number of affected parties and the types of information that were exfiltrated. The investigation concluded that the personal information of approximately 390,000 individuals was compromised in the incident. This figure was relatively small in comparison to the millions of impacted residents in other states that fell victim to the same global attack campaign, but it still represented a significant data exposure for the state of Illinois.
Earlier in June 2023, prior to public notification, DoIT formally notified the Office of the Illinois Attorney General and the three major credit reporting agencies about the attack as part of its regulatory and compliance obligations. Federal and state authorities were already actively monitoring dark web activity conducted by the group of bad actors claiming responsibility for this event. DoIT confirmed it was working in cooperation with law enforcement authorities on the investigation into the criminal acts. By the week of June 28, 2023, the state began the process of directly notifying all impacted individuals. Notices were mailed to those approximately 390,000 people with information about the breach and instructions on how to proceed.
The mailed notices contained information on registering for credit monitoring services offered by the state. To assist those impacted, the Illinois Department of Innovation & Technology established a dedicated call center. The call center information was shared exclusively with impacted individuals to ensure they could receive the full attention of call center staff and to maintain the security of the response process. The department provided 12 months of credit monitoring services through Experian's IdentityWorks product. This service included identity theft detection, identity restoration services, and identity theft insurance to help protect the affected individuals from potential financial fraud and other misuse of their personal information.
At the time of the public announcement on June 28, 2023, there was no indication that any of the compromised information had been used fraudulently. The state's comprehensive response was driven by a serious approach to data security and a priority on swift action to address the incident. The leadership emphasized the importance of transparency throughout the process, from the initial response to the notification and offering of protective services. The incident was characterized as a result of a global criminal attack against a third-party software product, and the state's actions reflected a focus on mitigating the harm to its residents rather than the specific technical details of the infiltration. The provision of credit monitoring and a dedicated support channel constituted the primary mitigation effort to address the potential consequences of the data being stolen.