Cyberattack on Georgia agency exposed private information of parents, children

ATLANTA — Hackers breached state email accounts in the Georgia Department of Human Services exposing personal information of adults and children who have cases with Child Protective Services and the Division of Family and Children Services.

The breach happened in the first two weeks of May, but state officials say it was August before state officials learned attackers were able to obtain emails that contained personal data, including health information.

The state says the amount of data stolen depends on each individual but includes:

  • Full names of children and household members
  • Relationships to children receiving services
  • County of residence
  • Date of birth
  • Phone Numbers
  • Email addresses
  • Social Security Numbers
  • DFCS case numbers and identification numbers
  • Contacts by DFCS and whether face-to-face contact was medically appropriate
  • Medicaid identification numbers
  • Medical provider names and appointment dates
  • Psychological reports and counseling notes

The breach also included substance abuse information for a dozen people and bank account information for one individual.

The state is reaching out to those who have been affected to help them protect their identity. If you think that your information may be involved in the breach and you had a case with CPS in the spring you can reach out for more information.

Channel 2′s Matt Johnson talked to cyber security experts about how the breach could have happened and how it could affect Georgians.

Rafal Los, a cyber security expert with Lightstream, said the breach likely happened through “phishing," or when hackers send fake emails to tons of email addresses hoping someone gives over personal information.

“This is likely a low-sophistication attack against a department or an organization that has done very little in their security practices,” Los said.

Los said that as a parent himself, the attack is particularly heartbreaking.

“So many ways to be victimized, those that are already victimized,” Los said. “Care should be given not just to protect the kids, but protected personnel and highly sensitive information.”

Los isn’t alone in thinking that the DHS should have had more rigorous security measures in place.

Dr. Andy Green, a cyber security and privacy expert at Kennesaw State University, said he wonders if the most basic security was installed at the time of the attack.

“Multi-factor authentication is a common approach used to raise the security bar for an organization and it’s done fairly inexpensively,” Green said.

Green said some of the information just doesn’t belong in an email.

“It’s incumbent upon the DHS to develop processes and procedures to allow their employees to share that data in a more sensitive manner than just email,” Green said.

You can call 1-888-304-1021 from 9 a.m. to 4 p.m. Monday through Friday excluding state holidays.