Calling it a “catch-22”, Oklahoma state officials declined to release which state agency was discovered to have been attacked by hackers, claiming on Wednesday that releasing the name could compromise the agency further.
Last week, the state director of Oklahoma CyberCommand told a House of Representative committee an agency had been attacked and confirmed the CyberCommand was investigating a “suspicion” the agency was forced to pay a ransom for its data.
However, the investigation revealed that no money had been paid to hackers, according to Tuesday’s joint statement from Governor Mary Fallin’s Office and the Office of Management and Enterprise Services.
“We have yet to ascertain the severity of the attack, how effective it was or if state data was compromised or put in a position of it being of no use,” Rep. Jason Murphy (R-Guthrie) said in an interview on Wednesday.
Mark Gower, the state’s Director of Information Technology Security, told the House Government Modernization Committee an unnamed agency had been attacked with what’s known as “Ransomware”, according to a News 9 reporter at the committee meeting last week.
“Ransomware” encrypts and locks up data from being used. Hackers then ask for a sum of money to unlock the data. Gower said money had been laundered and paid out to hackers through the online currency, Bitcoin.
Under a 2011 law, 78 Oklahoma agencies are required to be "unified" under the same statewide cyber- umbrella. But in the last six years, only 58 have signed on. The agency hacked was one of the 20 not in compliance.
“The state has mandated that all appropriated agencies come under the umbrella of a protection of cyber command that process is planned to end at the end of this fiscal year,” Murphy said.
State records show those agencies include Department of Corrections, the Attorney General's Office, the Department of Mental Health and Substance Abuse, and the Oklahoma State Bureau of Investigation among other large agencies with sensitive information from thousands of Oklahomans.
“Those agencies are putting at risk the it resources of their agency potentially not following best practices and are potentially quite vulnerable to newly developed ransom ware attacks such as the one we've been looking at,” said Murphy.
“This incident further illustrates how essential IT unification has been in protecting our state’s technological infrastructure,” Fallin said in her statement.
Fallin and the Office of Enterprise Management continued in the statements and said the unification of state IT systems also saves tax payers money.
According to the release, roughly $129 million has been saved in cost reductions and projected savings.
The attack is not the first publicly reported incident. In late 2016, it was reported an email address used by the governor to occasionally discuss state business appeared to be a part of a 2012 hack of Yahoo customers by Russian hackers.
It is still unclear if any information was compromised. The Governor’s office said at the time the situation had been resolved, and there was never any actual breach of security.
With the most recent incident, Murphy said there are still several questions left unanswered including how much money was asked for by the hackers, how much information was compromised and which agency was attacked.