The Boston Herald reported yesterday that a computer virus (really a worm) identified as W32.QAKBOT was found to have infected at least 1,500 computers belonging to the Massachusetts Labor and Workforce Development agency.
According to the press release of the Executive Office of the Labor and Workforce Development that was posted on Tuesday, the worm was originally discovered on the 20th of April, and was thought to have been eliminated at that time by the Agency's security provider, Symantec. For reasons not disclosed, the worm was not able to be totally eliminated; nor was it disclosed how the worm likely infected the agency's computers in the first place.
The worm was found again on Monday and it was discovered that information from hundreds of Massachusetts employers residing with the Departments of Unemployment Assistance (DUA) and Career Services (DCS) had potentially been compromised. The agency immediately shut down the computers to stop the security breach.
The press release goes on to say that:
"There is a possibility that as a result of the infection, the virus collected confidential claimant or employer information. This information may include names, Social Security Numbers, Employer Identification Numbers, email addresses and residential or business addresses. It is possible that bank information of employers was also transmitted through the virus. Only the 1200 employers that manually file could be impacted by the possible data breach."
The Herald story says that the Labor and Workforce Development agency is going to notify all 210,000 people it does business with of the breach, even though it believes that those actually affected are far fewer than this number indicates.
A Boston Globe story today says that there is little concern that the worm will spread to other state computers because they are physically disconnected from those of the Labor and Workforce Development computers. However, if the infection was caused by a phishing email that a state worker opened, that lack of concern may be a bit premature.
At least the unemployment agency didn't apologize for any "inconvenience" the breach has caused.