Data theft may expose jobless residents

Breach could affect up to 210,000 in Mass.; state gives notification 4 weeks after attack

By Hiawatha Bray
Globe Staff / May 18, 2011

E-mail this article

Invalid E-mail address
Invalid E-mail address

Sending your article

Your article has been sent.

Text size +

The personal financial information of up to 210,000 unemployed Massachusetts residents may have been stolen in a data breach caused by a virus discovered in state labor department computers four weeks ago, officials said yesterday.

Names, addresses, and Social Security numbers, among other data, may have been taken, said John Glennon, chief information officer for the Massachusetts Executive Office of Labor and Workforce Development.

The number of affected recipients is probably a small fraction of the total number of potential victims, according to Glennon. The virus attempted to transmit confidential information to digital thieves, he added, but it was not clear how much, or even whether, any data was successfully stolen.

The state is sending notification letters to every possible victim as a precaution. “We don’t know what may have been compromised,’’ Glennon said.

Joanne Goldstein, the secretary of labor and workforce development, said that possible victims of the breach should act immediately to protect themselves by putting a credit freeze or a security alert on their credit reports. Such actions will generally prevent criminals from using stolen Social Security numbers to borrow money in their victims’ names. To place credit freeze or security alert, consumers should contact the three major credit reporting agencies, TransUnion, Equifax, and Experian. In Massachusetts, placing a credit freeze is free for victims of identity theft.

The infection was detected on April 20, raising questions about why it took so long for officials to notify the public. A state law requires businesses to report data breaches “as soon as practicable and without unreasonable delay’’ to the attorney general’s office.

Amie Breton, a spokeswoman for Attorney General Martha Coakley, said it was too soon to judge whether the labor department should have issued its warning earlier.

Labor department officials also plan to contact about 1,200 Massachusetts employers that may also be victims. The companies file quarterly statements using agency computers, and thieves may have gained access to their bank account information.

Only information entered into the system between April 19 and May 13 may have been compromised.

Computer viruses are so common that it might not make sense to issue an immediate warning when a network is infected, said Chester Wisniewski, a network security analyst for Sophos Corp. in Vancouver, British Columbia, Canada. But he added that a delay in warning possible victims could give identity thieves extra time to exploit the stolen data. “If these criminals already have your Social Security number, and they’re running around out there doing fraud, you didn’t even have a chance to put a freeze on your credit report,’’ Wisniewski said.

About 1,500 computers in the department’s unemployment assistance and career services departments, and its One Stop Career Centers, were infected with the computer virus called Qakbot, which is designed to let an attacker take control of infected computers and to steal information from the machines.

Last year, the computer security firm Symantec Corp. said a version of the Qakbot virus stole about four gigabytes of personal information from thousands of infected computers, including 1,100 machines used by Great Britain’s National Health Service.

Glennon said the labor department’s computers were protected by Symantec’s latest antivirus software, but were hit by a new variant of Qakbot that wasn’t detected by the program.

Agency workers began to complain that their computers were running sluggishly — a common indication that machines have been infected with a virus — and network managers tried in vain to clean the infected machines. They eventually discovered that the virus was capturing information being typed on the keyboards of infected computers. In a sense, that was good news, according to Glennon, because it meant the virus did not copy files stored on the infected computers’ hard drives.

Still, the typed entries could have provided the thieves with names, addresses, phone numbers, and Social Security numbers. They might also have stolen information from the 1,200 employers that use the computers in state offices to enter information, and from visitors to the One Stop Career Centers who use the computers to look for work.

The potential impact of the breach is dwarfed by other recent data thefts. In April, Sony Corp. suffered an attack on several of its networks used by consumers for video gaming, music, and movie downloads. In the same month, Texas e-mail marketing firm Epsilon Data Management LLC reported that hackers had raided its network and stolen the e-mail addresses of millions of US consumers.

The state labor department has posted more information for people who may be affected by the breach at its website, It has also set up a telephone hotline at 1-877-232-6200.

Hiawatha Bray can be reached at