The Maryland Department of Labor revealed Friday that two databases it manages were available to unauthorized users, potentially exposing the personally identifiable information of roughly 78,000 people.
The exposures were found earlier this year after an investigation by the state’s Department of Information Technology showed that the Literacy Works Information System, which handles data for the state’s adult education programs, and a legacy unemployment insurance database could have been accessed on the public internet.
“We live in an age of highly sophisticated information security threats,” said James E. Rzepkowski, Maryland’s acting labor secretary.
The compromised files date back to 2009. Both sets contained first names, surnames and Social Security numbers, while the Literacy Works Information System also included dates of birth, city or county of residence, graduation dates and record numbers, Maryland officials said.
Verification of the possible data breach was shared with law enforcement agencies and also investigated by an independent analyst. The Department of Labor said it has since reviewed and updated its information security measures, though the investigation did not reveal any evidence confirming that any of the affected data was downloaded from the agency’s servers.
“Maryland is working to ensure its cybersecurity strategy and policy are in alignment with best practices and the latest federal standards and guidelines,” John Evans, Maryland’s chief information security officer, said in a press release. “We are working with the Department of Labor to minimize the impact of this breach, and to prevent future misuse of state systems.”
The state government is offering two years of free credit monitoring to the people whose records were affected.
The incident appears to be the largest data breach or exposure involving the Maryland state government since 2014, when hackers illegally accessed records for more than 300,000 students, faculty and staff at the University of Maryland.
Maryland is now overhauling its cybersecurity governance, following an executive order Gov. Larry Hogan signed last month. Hogan’s order, in addition to formalizing Evans’ role as the state’s CISO, called for the creation of a new statewide security office responsible for setting data and identity-management standards. It also formed the new Maryland Cybersecurity Coordinating Council, which will be comprised of the CISO and several agency heads, though the labor secretary is not among the members.