On Jan. 31, 2019, the Wright
County Information Technology Department discovered unusual activity in the
county’s email system, as an unknown party was able to enter an individual
email account in the county’s Office 365 system. The county took immediate
steps to shut down the email system and to hire a computer forensics expert to
analyze the specifics on what happened. On April 22, 2019, the investigation
revealed that a phishing email had involved 11 other email accounts.
The investigation searched
every email in all the accounts, which was extremely laborious and
time-consuming and wasn’t completed until Feb. 28, 2020. Additional analysis
was completed in late-March 2020. As part of the investigative process, it was
determined that personal, private or confidential information from 12,320
individuals was contained in the emails and document attachments.
“A distinction needs to be
made about this process,” Wright County Administrator Lee Kelly said. “This
intrusion was in an employee email account, not the county’s network or databases.
As part of the investigation, the computer forensics firm examined whether any
of the information was used for the purposes of fraud or identity theft and
found no instances of either. However, as a precaution just to be sure, the
county is providing free access to all major consumer credit reporting agencies
for those whose names were identified to assure that were not the victims of
identity theft.”
The information that was
potentially involved included names, addresses, dates of birth, social security
numbers, driver’s license/I.D. card numbers, medical/health insurance
information financial account information private personnel data and personal
information involving minors.
Since the 2019 incident,
Wright County has taken preventive measures to enhance the security of its
entire system, which County Board Chair Christine Husom said has improved the
security of the personal information the county holds and retains.
“There have been several
steps that have been taken over the last year to strengthen the security of all
of our county systems to help reduce the risk of something like this happening
again,” Husom said. “When our I.T. director position came open, we hired
someone with an extensive cybersecurity background with the U.S. Department of
Defense. We implemented a system of segregating protected and personal
information from within the county’s cyber network. We implemented multi-factor
authentication to access accounts. We have required all employees to take part
in mandatory cybersecurity training to help identify email threats and to spot
phishing emails. We can’t change what happened, but we have gone to great
lengths to prevent it from reoccurring.”
As part of the notification
process, a call center has been established for individuals to call to see if
their names are on the list of those potentially impacted. The number is 833-979-2231
and is open from 8 a.m. to 8 p.m. Monday through Friday.
While the delay from when the
incident took place until now has been more than 15 months, Kelly said it has
been a process that was necessary given the time it took to fully complete the
investigation and examine every page of every document that was red flagged.
“Unfortunately, this is the
world we live in now,” Kelly said. “Many of the people who do these sorts of
attacks aren’t out to steal anyone’s private information. Most just want to
prove to themselves that they can find a way into a system. The fact that the
investigation didn’t find any cases of identity theft over the last year among
the names involved in the emails lends to that way of thinking that this wasn’t
someone with malicious intent to steal identities and use people’s private
information. We regret this happened, obviously, but we have done our due
diligence to make sure that our system for protecting information and detecting
those who try to get access to it has been strengthened to reduce the potential
of a repeat of this type of attack.”