Press Release  Audit Reveals Cyber-Hacker Gained Access to Commonwealth Corporation Employees’ Confidential Information

Boston — State Auditor Suzanne M. Bump today released an audit of the Commonwealth Corporation (CommCorp), which revealed that in 2018 a hacker gained access to employees’ personally identifiable information, including payroll data within W-2 forms. In the audit, Bump calls on CommCorp to improve its cybersecurity policies and enhance its protection of employee confidential information.

“It is crucial that government agencies take steps to ensure employees receive preventative cyber security training and that sensitive employee information is safe and secure from outside cyber-threats,” said Bump of the audit. “I commend Commonwealth Corporation for its overall response to the hack and for strengthening its cybersecurity defenses, and hope this incident spurs other government and quasi-public agencies to review their defenses against similar phishing attacks.”

The audit, which examined the period of July 1, 2015 through June 30, 2018, found that on March 19, 2018, a hacker impersonating CommCorp’s chief executive officer gained unauthorized access to the agency’s email system. The hacker accessed payroll data from 164 current and former employees’ federal W-2 forms for the period 2008 through 2017. Although the data were encrypted, a payroll employee emailed the encryption password to the hacker. When the hacker attempted to transfer $3,500 from an online bank account, CommCorp was alerted, stopped the breach, and notified law enforcement and other officials. In its response to the audit, the organization indicated it has updated its cybersecurity procedures and expanded staff training to prevent similar incidents in the future.

Additionally, Bump’s audit also found CommCorp submitted incomplete payroll and expenditure information to the state Comptroller’s transparency website, CTHRU, for 2016 and 2017. In its response to the audit, CommCorp reports taking steps to ensure the submission and timeliness for posting all required financial information back to the state.

The audit also determined CommCorp is effectively administering the Workforce Training Fund Program’s General Program.  The programs’ purpose is to enhance business productivity and competitiveness by providing resources to medium and small businesses to upgrade workforce skill sets. The agency is funded by the state for this program through unemployment tax payments.

Commonwealth Corporation is a quasi-public state agency established in 1996 that is responsible for administering a wide range of publicly and privately funded programs through an annual contract with the Executive Office of Labor and Workforce Development.  

The audit of the Commonwealth Corporation is available here.

###