The Qakbot virus infected computers at the Massachusetts departments of unemployment assistance and career services that may cause a data loss impacting 210,000 people.
With around 1,500 computers impacted after the W32.QAKBOT virus hit in mid-April, the executive office of labour and workforce development admitted that there is a possibility that as a result of the infection, the virus collected confidential claimant or employer information, including names, social security numbers and email and postal addresses.
It also admitted that it is possible that bank information of employers was also transmitted through the virus. It admitted that there is no mechanism available to the department to assess the actual number of individuals affected, but any claimant who had their UI file manually accessed could be affected.
Additionally, businesses that file their quarterly statements manually may have had identifying information transmitted through the virus too. For a claimant to have been impacted, a staff person would have had to key in sensitive information at an infected work station.
Joanne F. Goldstein, secretary of labour and workforce development, said: “I apologise to our customers and recognise that this is an unwanted problem. We are hopeful that the actual impact on residents and businesses is minimal.
“The breach is no longer active. We are in the process of individually notifying all residents whom we think could be impacted and have advised all relevant and necessary state and federal agencies of the situation. We are doing everything possible to provide assistance in how to protect their identities and credit to those affected.
“We take our customers privacy very seriously. Unfortunately, like many government and non-government organisations we were targeted by criminal hackers who penetrated our system with a new strain of a virus. All steps possible are being taken to avoid any future recurrence.”
Symantec said that Qakbot impacts Windows OS and is a worm that spreads through network shares and removable drives. “It downloads additional files, steals information and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence,” Symantec said.
“W32.Qakbot spreads by exploiting vulnerabilities when a user visits certain web pages, eExploit code hosted at these remote locations downloads the threat on to the compromised computer. Many of the infections are aided by users unwittingly clicking on malicious links. The worm also spreads through network shares by copying itself to shared folders when instructed to by a remote attacker and it copies itself to removable drives.”
It said that the ultimate goal of Qakbot is theft of information and it particularly looks for authentication cookies, including Flash cookies, OS and system information, geographic and browser version information, keystrokes and user credentials.