The Maryland Department of Labor today began notifying 78,000 customers with details about potential unauthorized activity on two of its database systems. While some personally identifiable information may have been accessed without authorization, a thorough investigation conducted by the Department has not revealed any misuse of the accessed data.
Earlier this year, at the request of the Maryland Department of Labor, the Maryland Department of Information Technology—the agency overseeing all state information technology functions and policies—initiated an investigation and determined that files stored on the Literacy Works Information System and a legacy unemployment insurance service database were subject to possible unauthorized access through the Internet.
Upon notification of the possibility of unauthorized access, Maryland DoIT implemented countermeasures and initiated an investigation. Working with the Department of Labor, Maryland DoIT also notified law enforcement and retained an independent expert to investigate how the information was accessed. A full review of the department’s protocols and security measures has been completed to prevent future incidents. To date, this investigation has not produced evidence to confirm that any personally identifiable information was downloaded or extracted from Labor servers.
With this investigation now complete, the Department of Labor is contacting the customers who were impacted by the incident and encouraging them to carefully monitor their accounts. Those who have been affected will be offered two years of free credit monitoring through an independent service.
Customers who believe they have been affected by the incident can contact the Department of Labor’s dedicated hotline by e-mailing [email protected] or calling 410-767-5899. This hotline will be staffed Monday-Friday from 8:00 a.m. – 4:30 p.m. For additional information, please visit the Maryland Department of Labor data hotline web page.
Files stored on the Literacy Works Information System (LWIS) and a legacy unemployment insurance service database were subject to the incident. The LWIS files impacted were from 2009, 2010, and 2014. These files possibly contained first names, last names, social security numbers, dates of birth, city or county of residence, graduation dates and record numbers. The files impacted on the unemployment insurance service database were from 2013 and possibly contained first names, last names, and social security numbers.
“We live in an age of highly sophisticated information security threats,” said Acting Labor Secretary James E. Rzepkowski. “We are committed to doing all we can to protect our customers and their information. We strongly urge those impacted to be vigilant about unusual activity on their accounts, and to take advantage of the credit monitoring being offered by the state.”
The increasing volume and enhanced capabilities of malicious actors have highlighted the importance of further securing data. Recognizing this growing threat, Governor Larry Hogan issued an executive order in June, which included hiring a Maryland Chief Information Security Officer and establishing the Office of Security Management and the Maryland Cybersecurity Coordinating Council. The three entities will work together to strengthen the state’s cybersecurity infrastructure while solidifying its ability to manage and minimize the consequences of a cybersecurity incident.
“Maryland is working to ensure its cybersecurity strategy and policy are in alignment with best practices and the latest federal standards and guidelines,” said John Evans, Maryland’s Chief Information Security Officer. “We are working with the Department of Labor to minimize the impact of this breach, and to prevent future misuse of state systems.”
For more information on protecting yourself from identity theft, including information on how to place freezes on your credit accounts, visit the Maryland Attorney General’s Identity Theft Unit online.