This week, the Kentucky Unemployment system was hit by a cyber attack – the third cyber incident in ten months. Ironically, there was very little media coverage which means that the media considers cyber attacks on KY state government as “old news”.
What is old are the antiquated systems that the state uses and they are becoming more vulnerable with time.
Following the April 2020 data breach, the governor asked the inspector general at the transportation cabinet to “look at the breach to ensure the software is sufficiently secure”. This response not only was in itself “insufficient”, but it also allowed the continuation of the use of old and vulnerable systems which hold the personal and financial information of hundreds of thousands of Kentucky citizens.
Additionally, following the most recent attack in which the system was flooded by random login usernames, the state claimed that none of the login attempts were successful within hours of the attack. How can they know that definitively? It has been 3 months since the Solar Winds attack and the federal government is STILL uncovering infiltrations. The only way the state can know for sure that there were no infiltrations is to do a comprehensive network analysis. Has that been done? A comprehensive network analysis and system scan would have to be completed to be able to authoritatively state whether there is any malware, infiltration, or data theft. The next step would clearly be to educate the workforce on how to respond as well as implementing new policies to create a security-conscious culture. Lastly, updates to the system architecture and patching/replacing software to harden the systems is critically required.
The legislature must prioritize cyber security for the protection of the data of the citizens of the Commonwealth because the next time may be devastating, assuming it isn’t already too late.