An aggressive worm known for stealing sensitive information was found on the computer network for the agencies handling unemployment claims in Massachusetts.
Cyber-criminals may have used malware to steal personal
information from the Massachusetts unemployment offices, according to the state
As many as 1,500 computers in the Departments of
Unemployment Assistance and Career Services were infected with a virus
beginning April 20, the Massachusetts Executive Office of Labor and Workforce
Development said on May 17. Computers in the mobile One Stop Career Centers
that work with claimants were also infected.
Even though EOLWD immediately worked with Symantec to remove
the malware, W32.QAKBOT, it learned on May 16 that the infection hadn't been
"remediated as originally believed," leading to a data breach.
"I apologize to our customers and recognize that this
is an unwanted problem," Joanne F. Goldstein, Secretary of Labor and Workforce
Development said in a statement.
is a worm that spreads through network drives and removable drives, according
to the Symantec's Security Response page. After the initial infection, usually
the result of clicking on a malicious link on a Web page, it can download
additional files, steal information and open a back door on the compromised
machine. The worm also contains a rootkit that allows it to hide its presence
and it works slowly to avoid detection. "Its ultimate goal is clearly theft of
information," said Shunichi
, a Symantec researcher.
There is a "possibility" the virus collected confidential
claimant or employer information, such as names, Social Security numbers,
Employer Identification Numbers, email addresses, and residential or business
addresses. The affected system also contained bank information of employers.
"These days, whenever I hear of a big corporate infection
that's very hard to get rid of and people are struggling, I immediately think
of Qakbot," Roel Schouwenberg, an antivirus researcher at Kaspersky Lab, told WBUR
Boston NPR radio station.
Qakbot is especially aggressive and normally targets online
banking, although it has the ability to mutate itself to switch targets and
change its methods. The cyber-criminals behind the infection could have
remotely instructed the virus to go after names, addresses and Social Security
numbers stored in the state systems instead of focusing on banking sites,
"Only" the 1,200 employers that file their quarterly
statements manually with the departments could be impacted, according to the
EOLWD. Goldstein was "hopeful" that the actual impact on businesses and
residents was "minimal." Most of the 180,000 businesses tend to file online and
are likely not affected.
There is "no mechanism" available to determine the actual
number of individuals impacted, the EOLWD claimed, but any claimant who had
their file manually accessed could be affected. For a claimant to have their
data stolen, the staff member would have had to type in the information at an
"In a nutshell, if your computer is compromised, every bit
of information you type into your browser will be stolen," according to Patrick
, a senior security response manager at Symantec.
Anyone who "conducted business" from April 19 to May 13 that
required a staff person to access their file online with DCS, DUA or at a One
Stop Career Center should consider themselves impacted and put a fraud alert on
their credit for their protection, EOLWD said.
The system has been shut down and the breach is no longer
"active," according Goldstein. The department is currently contacting all
affected residents and has already notified "all relevant and necessary" state
and federal agencies for assistance in remediating the breach. The list
includes the Attorney General's Cyber-Crime Unit, the Office of Consumer
Affairs and the Federal Bureau of Investigation.
"We take our customers privacy very seriously.
Unfortunately, like many government and non-government organizations we were
targeted by criminal hackers who penetrated our system with a new strain of a
virus. All steps possible are being taken to avoid any future recurrence"