Notification letters from the State of Montana started to be sent out this week outlining the data breach they had suffered which affects 1.3 million people. The breach was discovered in mid-May by a contractor. The breach resulted in open access which apparently lasted from July 2013 until May 15, 2014. The breach was officially announced on May 29th.
From Montana Standard:
A computer-security contractor for the state discovered the potential hacking in mid-May, after noticing “suspicious activity” on one of the department’s computers in Helena that stores millions of records, state officials said.
Ron Baldwin, the state’s chief information officer, said the contractor noticed what appeared to be unauthorized Internet access to the DPHSS computer and confirmed the breach. Further investigation indicated that hackers had gained access to the computer last July.
The question might be asked as to why it took almost a month and half to notify affected parties. In a case like this when law enforcement is involved there needs to be a grace period while the investigation is underway.
From the Montana Code:
(3) The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation and requests a delay of notification. The notification required by this section must be made after the law enforcement agency determines that the notification will not compromise the investigation.
Fair enough. While the intruders had access to personally identifiable information for 1.3 million residents of Montana the State officials seemed to think that the intruders had not taken any of the data. I’m sorry but, that sounds incredibly peculiar. If the nefarious types had access to the information for almost a year what would lead them to suspect that they didn’t take any?
The State is asking anyone who was affected by the breach to call (800) 809-2956 for people who have questions. They will also be offering credit reporting for all affected but, people will need to enroll in the program in order to receive it.
What did strike me as interesting is that there is no mention of the breach anywhere on the Montana.gov site.
Queue the tumbling tumbleweed...
(Image used under CC from Nomadic Lass)