Full Report
Texas said hackers compromised an account at the Department of Transportation (TxDOT) and discovered unusual activity on May 12 involving its Crash Records Information System (CRIS).
Analysis Summary
# Incident Report: State Agency Data Breaches in Texas and Illinois
## Executive Summary
Two separate state agencies, the Texas Department of Transportation (TxDOT) and the Illinois Department of Healthcare and Family Services (HFS), recently disclosed significant data breaches. The TxDOT incident involved the unauthorized access and download of nearly 300,000 crash reports via a compromised system account, while the Illinois HFS breach resulted from a phishing attack that compromised an employee's email and documents, exposing sensitive PII for 933 individuals. Both agencies have initiated investigations and are notifying affected parties.
## Incident Details
- Discovery Date: May 12 (TxDOT); February (Illinois HFS - Implied, based on breach timing/notification)
- Incident Date: May 12 (TxDOT); February (Illinois HFS)
- Affected Organization: Texas Department of Transportation (TxDOT), Illinois Department of Healthcare and Family Services (HFS)
- Sector: Government/Transportation & Healthcare/Social Services
- Geography: Texas, USA; Illinois, USA
## Timeline of Events
### Initial Access
- **Date/Time (TxDOT):** Prior to or on May 12 (date of unusual activity discovery).
- **Vector (TxDOT):** Compromised system account within the Crash Records Information System (CRIS).
- **Details (TxDOT):** An existing account was leveraged to access the system.
- **Date/Time (Illinois HFS):** February.
- **Vector (Illinois HFS):** Successful phishing attack targeting an employee.
- **Details (Illinois HFS):** A hacker sent emails from another compromised government account, tricking an HFS employee into compromise.
### Lateral Movement
- *(No specific details provided on lateral movement for either incident, implied access was achieved to the specific target systems/accounts.)*
### Data Exfiltration/Impact
- **TxDOT:** Access and download of almost 300,000 crash reports from the CRIS, including names, addresses, driver’s license numbers, license plate numbers, insurance policy numbers, injury details, and incident narratives.
- **Illinois HFS:** Compromise of one HFS employee’s emails and documents, exposing data including Social Security numbers, driver’s licenses, state ID cards, and financial information related to child support and Medicaid.
### Detection & Response
- **TxDOT:** Unusual activity on the CRIS was discovered on May 12. The compromised account was shut down immediately upon discovery.
- **Illinois HFS:** Incident referenced in February, with public notification occurring around the same time as the Texas disclosure. Response included notifying affected individuals via letters.
## Attack Methodology
| Category | TxDOT Methodology | Illinois HFS Methodology |
| :--- | :--- | :--- |
| **Initial Access** | Compromised System Account | Successful Phishing (emails from a trusted-looking government account) |
| **Persistence** | *(Not detailed)* | Likely maintained access via the compromised employee account |
| **Privilege Escalation** | *(Not detailed)* | *(Not detailed)* |
| **Defense Evasion** | *(Not detailed)* | Utilizing a pre-compromised government email source to appear trustworthy |
| **Credential Access** | *(Inferred access reuse or initial credential exposure)* | Compromise of credentials/session related to the targeted employee |
| **Discovery** | *(Inferred access to CRIS database)* | *(Inferred accessing employee file system/email storage)* |
| **Lateral Movement** | *(Not detailed)* | *(Not detailed)* |
| **Collection** | Accessing and downloading crash reports from CRIS database | Accessing and exfiltrating employee emails and documents |
| **Exfiltration** | Downloaded data from CRIS | Data exfiltrated from the compromised employee's accessible files/emails |
| **Impact** | Mass data theft of sensitive crash information | Mass data theft of PII, SSNs, and financial data |
## Impact Assessment
- **Financial:** *(Not disclosed)*
- **Data Breach:**
- **TxDOT:** Nearly 300,000 crash reports containing detailed PII (names, addresses, DL/LP numbers, insurance info).
- **Illinois HFS:** Records for 933 individuals containing highly sensitive data (SSNs, financial data, state IDs).
- **Operational:** TxDOT shut down the compromised account; Illinois HFS faced an internal compromise leading to data loss.
- **Reputational:** Negative publicity following state-level mandated public disclosures.
## Indicators of Compromise
* **Network indicators:** *(None provided, other than the general reliance on compromised accounts/phishing.)*
* **File indicators:** *(Specific file hashes or filenames not provided.)*
* **Behavioral indicators:** Unauthorized access/data download from TxDOT CRIS; successful tricking of an employee via spoofed/compromised government email.
## Response Actions
- **Containment:**
- **TxDOT:** Shut down the compromised system account immediately.
- **Illinois HFS:** Contained the employee account compromise (implied).
- **Eradication:** *(Not detailed, likely focused on resetting credentials and scanning for malware related to the phishing payload.)*
- **Recovery:**
- **TxDOT:** Continuing investigation.
- **General:** Notifying impacted individuals via mail. Established a dedicated call line for TxDOT victims.
## Lessons Learned
- **Account Security is Critical:** The TxDOT incident highlights that a single compromised system account can lead to massive data loss if that account has broad access to sensitive, legally mandated systems (CRIS).
- **Phishing Sophistication:** The Illinois incident demonstrates the effectiveness of "trusted source" phishing (using existing compromised government accounts as the source) to bypass basic employee skepticism.
- **Proactive Notification:** Texas opted to notify the public despite claiming no legal requirement to do so, demonstrating best practice in data breach management.
## Recommendations
- **TxDOT/CRIS:** Implement Multi-Factor Authentication (MFA) on all system access accounts. Conduct immediate access audits on the CRIS system to determine if any other privileged accounts require remediation.
- **Illinois HFS/General:** Conduct mandatory, recurring, and scenario-based phishing training for all government employees, emphasizing identification of subtle cues in emails originating from other government domains. Review outbound email gateways for suspicious activity originating from internally compromised accounts.
- **General:** Review data retention policies for non-essential PII within databases like crash reports.