State government computer systems face 75,000 attacks every day, Mark Myers, director of the Arkansas Department of Information Systems, told the Arkansas TechJunction conference on Wednesday.
Information stored on state servers is valuable, said Myers, who was the keynote speaker at the day-long series of information technology and security seminars held at Little Rock's Statehouse Convention Center.
The state's information systems host student and financial management information for every school district in the state, the public-employee retirement system, the state's child-support system and troves of insurance information.
"Government is under attack," he said. "These are guys who are willing to do just about anything to get into your system."
But the state has effective tools to stop computer crime, Myers said.
Automated systems at the Department of Information Systems inspect billions of events and block 75,000 attacks and 400,000 spam emails every day. The state's network is monitored 24 hours per day, 365 days a year, he said.
Myers said the state is working to avoid situations similar to what happened in South Carolina.
In 2012, 3.6 million Social Security numbers and thousands of credit card numbers were stolen from that state's Department of Revenue. It took two weeks to close the vulnerability and cost the state millions of dollars, Myers said.
"It was as simple as a split-second action," he said. "There is an employee who had clicked on a phishing email."
"Phishing" attacks are illegal attempts to gather personal information such as usernames and passwords through fake emails that appear to come from a bank or other official source.
Myers said such attacks are the top threat to state government.
A few months ago, a hacker started sending phishing emails to Arkansas government employees. A database administrator, who should have known better, clicked on it, Myers said.
Luckily, the Department of Information Systems was able to send notifications before damage was done, he said.
"[Chief information officers] have to be successful every time, but cybercriminals only have to be successful one time," Myers said. "I lay awake at night wondering, 'Has my network been breached, and has data been stolen that I don't know about.'"
Sometimes the state has been less fortunate.
In 2014, Arkansas State University reported a breach to a professional development database for early childhood practitioners that affected up to 50,000 people, Myers said.
The University of Arkansas for Medical Sciences has had two data breaches, including about 1,500 patient records that were compromised when a former doctor kept their medical records, Myers said.
In 2008, Sherwood lost part of about $200,000 in municipal funds when a hacker used the treasurer's username and password to transfer the money.
The city recovered about half of the missing money. The bank wasn't liable because legitimate credentials were used, he said.
Sometimes hackers' activities are secretive. Other times, their actions are quite apparent.
Myers said one state employee received a ransom letter over files a hacker copied and then deleted from the employee's computer.
"[The employee] clicked on a malicious link somewhere. The next thing we knew, the bad guys were demanding money for the return of his files," Myers said. "We spent man-hours, many man-hours, trying to recover the files and restore the network.
"Ultimately, we had to destroy the computer."
Metro on 05/21/2015