Commonwealth Corporation Did Not Adequately Protect Confidential Employee Information.

Commonwealth Corporation (CommCorp) did not adequately ensure that it protected its employees’ personally identifiable information. On March 19, 2018, a hacker impersonating CommCorp’s president / chief executive officer (CEO) gained unauthorized access to CommCorp’s email system. The hacker accessed payroll data from 164 current and former employees’ federal W-2 forms for the period 2008 through 2017. Although the data were protected by encryption⁵ software, a payroll employee emailed the encryption password to the hacker. The hacker also attempted to transfer $3,500 from an online bank account, which alerted CommCorp management to the breach of its systems by an unauthorized party. Upon realizing that its systems had been compromised, CommCorp management notified the board of directors and the Executive Office of Labor and Workforce Development, which in turn notified the Governor’s Office, the Attorney General’s Office, the Executive Office of Technology Services and Security, the Office of the Secretary of the Commonwealth, and the Office of Consumer Affairs and Business Regulation. In addition, CommCorp notified the Internal Revenue Service and the Federal Bureau of Investigation; it also sent written notifications to all current and former employees affected by the breach and committed to providing identity theft monitoring services for three years to all affected individuals. Current and former employees affected by this breach may be at risk of fraud.

According to CommCorp’s “Internal Policies and Procedures Password Policy,” dated October 11, 2016, “Passwords must not be inserted into email messages.”

The most widely used framework for internal controls in the United States was developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and represents best practices that should be used by organizations such as CommCorp in their development of effective internal control systems, including controls over information security systems. The COSO document Internal Control—Integrated Framework adopted the concept of enterprise risk management, a key element of which is an organization’s identification and assessment of the risks inherent to its operations that could prevent the accomplishment of its mission and goals and the controls in effect to mitigate those risks.

COSO specifically refers to cyber-risks and methods to prevent and detect fraud in its 2015 report COSO in the Cyber Age:

When a company manages cyber risk through a COSO lens, it enables the board of directors and senior executives to better communicate their business objectives, their definition of critical information systems, and related risk tolerance levels. This enables others within the organization, including [information technology] personnel, to perform a detailed cyber risk analysis by evaluating the information systems that are most likely to be targeted by attackers, the likely attack methods, and the points of intended exploitation. In turn, appropriate control activities can be put into place to address such risks. . . .

Because cyber risk exposure can come from many entry points, both internal and external to the organization, preventive and detective controls should be deployed to mitigate cyber risks.

According to CommCorp management, a payroll employee believed that the hacker was actually the president / CEO and forwarded the information that the hacker requested. In addition, we found that CommCorp had not developed policies and procedures that required employees to participate in computer security awareness training.

1. CommCorp should develop policies and procedures that require periodic security awareness training for all employees.
2. CommCorp should consider adopting security practices outlined in the COSO model to enhance its control activities to prevent, detect, and mitigate cyber-risks.

Commonwealth Corporation takes the protection of personally identifiable information seriously. We have updated our Information Technology policies and procedures to strengthen policy and practice regarding the use and protection of personally identifiable information. Updated policies have been distributed to staff and are now included in new hire orientation. Our updated procedures include mandatory annual Information Technology security training for all staff. This training has already been conducted for all current staff on December 20, 2018 and January 14, 2019.