On March 19, Calvert Internal Medicine in Maryland notified current and former employees of a computer compromise that may have exposed their Social Security numbers to misuse. A copy of their notification was sent to the Maryland Attorney General’s Office. From reading their description of the breach, it seems that ADP failed to restore a firewall after attempting to deal with another problem, but it’s not clear whether that simply accounts for the spam run problem or if it also contributed to a malware problem that may have compromised employees’ information. See what you think:
Calvert Internal Medicine Group (CIMG) Sequence of Events Relating to Potential IT Breach March 20, 2013
- During the week of March 10, 2013, CIMG was notified by its domain service that ~9,000 spam emails were identified as originating from CIMG’s mail server’s domain. Spam sources were distributed across the internet using a CIMG finance department employee’s email account, an account which was hosted off-site on an independent network’s service computer. Malware was detected in files in the spam inbox of the suspected computer.
- Several weeks prior to the spam discovery, in an effort to resolve a time clock data transmission problem, the finance department employee using the suspect computer placed a service call to ADP technical support. During the call, ADP technical support took control of the computer and disabled the computer’s fire wall. At the end of the service call, ADP technical support failed to reactivate the computer’s firewall.
- During the week of March 10, 2013, the suspect personal computer was removed from CIMG’s server. A new computer was installed.
- The finance department employee’s CIMG domain email account was disabled and replaced with a new, password protected, email address.
- Access passwords were changed for payroll (ADP), accounting (PeachTree) and banking services portals/software which resided on the computer.
- During the week of March 17, 2013, a CIMG employee was notified of irregular personal financial activity by a federal agency.
- Given the proximity of the two events, spam email originating from CIMG’s domain and suspicious activity involving an employee’s personal information/data, CIMG elected to notify all active and terminated employees of a suspected IT breach involving payroll- related information, employees’ names, addresses and social security numbers.
- With counsel’s assistance an employee notification document (attached) was drafted.