Report Blames Outside Software for Oregon Computer Breach

May 27, 2014 by

A piece of third-party software that hadn’t been updated might have been the vulnerable point invaded by hackers of the Oregon secretary of state’s website, a state report found.

The February breach took election and business records offline for nearly three weeks, delaying disclosure of campaign-finance information and forcing staff to handle many functions by hand.

Citing security concerns, officials wouldn’t name the suspect software but described it as an application development tool commonly used by governments and private-sector organizations.

They say the software has now been patched, and they’re working to have future security updates installed automatically.

The report was sent to state lawmakers on Thursday. Secretary of State Kate Brown is asking the Legislature’s Emergency Board for approval to move money around to cover the $176,000 price tag for investigating and fixing the problem.

The secretary of state’s office has more than 1,300 types of software, said Tony Green, an agency spokesman. Many update automatically, but some require staff to download them manually.

“We are working toward a solution to remove the human element and provide for an automated method for providing patching updates,” Green said.

Officials wrote that encrypted, personally identifiable information was stored on the agency’s computers, but they didn’t identify the type of information, again citing security concerns.

The agency says it spent $176,223 responding to the attack, about a quarter of it on overtime for 17 employees. It also bought new hardware and software, including a vulnerability management tool that tracks which software needs updates.

It paid $72,000 to Virtual Security Research LLC for an analysis of vulnerabilities on the network and training to prevent future problems. Another contractor handled communications with people who had information stored in the affected databases.

About $5,000 was spent on hotel rooms and lodging for four employees who stayed in Salem so they could work through a snowstorm that made travel difficult.