A newly identified strain of the computer worm W32.Qakbot infected the departments of Unemployment Assistance and Career Services networks and computers as well as computers at the state's One Stop Career Centers beginning on April 20, according to a statement from the Executive Office of Labor and Workforce Development issued Tuesday.
No mechanism exists to allow Labor and Workforce Development to determine the number of individuals affected, the state said, but claimants who had their unemployment insurance files manually accessed from April 19 through May 13 could be affected. Workers whose former employers filed claim information electronically were not likely affected by the breach. But businesses that file their quarterly statements manually - about 1,200 of 180,000 - may have had identifying information transmitted through the virus.
Officials said the state responded to the incident immediately to rid the computers of the virus with the help of security provider Symantec, and initially thought the efforts succeeded. But Labor and Workforce Development learned Monday that the worm wasn't vanquished and the persistence of W32.Qakbot resulted in the data breach.
Once discovered, the state said it shut down the system and the breach is no longer active. W32.Qakbot may have infected as many as 1,500 computers housed in the two departments.
According to Symantec, W32.Qakbot spreads through shared resources and removable drives, downloads additional files, steals information and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. W32.Qakbot spreads by exploiting vulnerabilities when a user visits certain web pages. Exploit code hosted at these remote locations downloads the threat on to the compromised computer. Many of the infections are aided by users unwittingly clicking on malicious links. The worm also spreads through network shares by copying itself to shared folders when instructed to by a remote attacker. It also copies itself to removable drives.
Labor and Workforce Development Secretary Joanne Goldstein apologized for the breach and said the state is in the process of notifying each individual who might have been victimized. "Unfortunately," she said, "like many government and non-government organizations, we were targeted by criminal hackers who penetrated our system with a new strain of a virus. All steps possible are being taken to avoid any future recurrence."
The state set up a hotline - 877-232-6200 - to assist possible victims.
Massachusetts' attorney general is investigating the breach.