SAIF data breach exposes information from thousands of people

The Oregon workers' compensation insurer sent letters in late December notifying employees of six policyholders that their names and Social Security numbers had been accessed in a phishing attack.

A cyber-security breach at Oregon's State Accident Insurance Fund Corp. may have exposed confidential information of more than 1,750 people.

The information, including the individuals' names and Social Security numbers, was compromised on Nov. 3 when a hacker gained access to a SAIF auditor's email account. That account contained emails which included personal information on employees for six companies who get their workers' compensation insurance through the quasi-public agency. Among those affected are some substitute teachers and school classified workers in the Portland area.

As of late Wednesday, Jan. 3, there had been no reports of identity theft as a result of the attack, said Lauren Casier, a SAIF spokeswoman.

"SAIF is diligent about protecting the confidential information that is shared with us," Bruce Hoffman, the company's vice president of underwriting, wrote in a letter to affected employees. "We deeply regret that this incident has occurred. We are reviewing what needs to be done to avoid any recurrence."

Employees were notified in late December that their confidential information may have been exposed. The seven-week delay resulted from the time needed to manually review email folders and attachments to identify what personal information was contained and to compose a letter to employees, Casier said.

The affected employees work at six companies that buy insurance from SAIF, including EMS SubDesk, a Beaverton-based company that provides substitute teachers and classified workers to several public school districts in East Multnomah and Washington counties. Katey Thomas, EMS SubDesk's registered agent, did not return a telephone call from the Pamplin/EO Capital Bureau seeking comment on the data breach. A call and email to the company's general mailboxes also were not returned.

On Wednesday, Casier declined to release names of companies affected by the breach, citing a state public records disclosure exemption.

The Capital Bureau independently obtained a letter about the cyber-security failure that identified EMS SubDesk.

Casier did identify the other companies' location and line of work. They are:

• A home health care provider in Beaverton

• A construction company in Portland

• An agriculture company in Dayton

• A construction company in Hillsboro

• A construction company in Beaverton

One of the policyholders may have had financial account information exposed in the attack, and that policyholder has been notified, she said.

SAIF is required by law to request payroll information from policyholders as part of its premium audit process. While the request does not include Social Security numbers, employers sometimes provide that information as part of the payroll information, Casier said.

Upon learning of the hack on Nov. 3, SAIF officials immediately disabled the auditor's email accounts and reported the cyber-security breach to the FBI, the Oregon Department of Justice and consumer-reporting agencies Equifax, Experian and TransUnion.

SAIF also retained CSIdentity to provide employees of the policyholders with credit monitoring and credit restoration free for a year, Casier said. Employees have until March 31 to sign up.

Data breaches have affected high-profile companies such as Target and Equifax, the latter of which may have exposed private information of half of Americans.

How to avoid getting 'phished'

"Sensitive data can easily be the target of attacks; they should be well protected via … encryption, so that even if an attacker broke into an account and stole the data, they still cannot decrypt it," said Jun Li, a computer science professor and director of the University of Oregon's Center for Cyber Security and Privacy.

Oregon state agencies have struggled with cyber security for years. In 2014, hackers gained access to computer systems in the secretary of state's office and Employment Department. A year later, the state data center was hit.

A November 2016 audit, overseen by then-Secretary of State Jeanne Atkins, found problems at 13 agencies, concluding that "planning efforts were often perfunctory, security staffing was generally insufficient, and critical security functions were not always performed."

Email account holders can avoid phishing attacks by refraining from clicking on links in emails "unless you are confident what the links really are," deploying state-of-the-art anti-phishing mechanisms, or installing meticulous spam filters, Li said.

Li also recommended credit monitoring for longer than 12 months after a hack, as an attacker could wait longer than a year to use the information.

The center holds an annual Oregon Cyber Security Day where the public can learn other ways to enhance cyber security. The next event is scheduled for April 20 at the University of Oregon in Eugene.



Paris Achen

Portland Tribune Capital Bureau

503-385-4899

email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Follow us on Twitter

Visit Us on Facebook

