Trojan horse captured data on 2,300 Oregon taxpayers from infected gov't PC

Computerworld -

The Oregon Department of Revenue has been contacting some 2,300 taxpayers this week to notify them that their names, addresses or Social Security numbers may have been stolen by a Trojan horse program downloaded accidentally by a former worker who was surfing pornographic sites while at work in January.

Rosemary Hardin, a spokeswoman for the Salem, Ore.-based agency, said the malware was discovered on the worker's desktop computer on May 15, after the worker was fired for violating departmental policies that forbid inappropriate Web surfing at work. The Trojan horse was found after IT workers investigated performance problems with the computer. The worker is not being identified by the agency.

An investigation by agency security personnel and the Oregon State Police found that the malicious program was designed to capture keystrokes on the former employee's computer, Hardin said. The employee was an entry-level worker who was assigned to entering taxpayer name and address changes, as well as some Social Security numbers. "We know that the information that the Trojan gathered up was transmitted outside of the agency" to an unrelated Web site. The incident is still under investigation.

Officials at the Department of Revenue don't know whether any of the transmitted information was ever received, she said. None of the information included income tax or banking information for the affected taxpayers.

The Trojan horse was apparently included in a video download or some other similar file saved on the computer by the former employee. "This individual was surfing pornographic sites and other inappropriate sites," she said. The department uses Web blocking software, but the former worker was apparently able to access a porn site that had not yet been blocked by the software, she said.

Internet usage is monitored on a random basis for all 1,000 of the agency's employees, Hardin said, but workers at that time were allowed to conduct personal Web business, such as checking their banking or personal e-mail accounts, during lunch and other breaks. Since the incident, however, workers are no longer permitted to conduct any personal business on agency computers while at work. "We've changed our policy for now to prohibit personal use because we want to minimize the risk of this ever happening again."

The Trojan horse was of such a new variety that the agency's antivirus software, which is updated every two hours for security reasons, had not yet been updated to protect against it, Hardin said. The agency reported the malware's strain to the antivirus vendors, who then updated their software.

There have been no reports of identity theft connected to the incident so far, though about 200 people have called with questions, according to Hardin. "People seem to be understanding," she said. "Nobody has reported any kind of suspicious activity."

All 2,300 affected taxpayers have been offered help in guarding against identity theft. The agency is looking into providing a year's worth of free credit monitoring services for each of the taxpayers and will soon contact them about how to sign up for that program, Hardin said. The department also set up a Web page listing frequently asked questions about the Trojan horse to provide more information.

"This has been very difficult for us," Hardin said. "Protecting the confidential information of our taxpayers is at the core of what we do."

Read more about it in government in Computerworld's IT in Government Knowledge Center.