Report blames outside software for computer breach



SALEM, Ore. — A piece of third-party software that hadn’t been updated might have been the vulnerable point invaded by hackers of the Oregon secretary of state’s website, a state report found.

The February breach took election and business records offline for nearly three weeks, delaying disclosure of campaign-finance information and forcing staff to handle many functions by hand.

Citing security concerns, officials wouldn’t name the suspect software but described it as an application development tool commonly used by governments and private-sector organizations.

They say the software has now been patched, and they’re working to have future security updates installed automatically.

The report was sent to state lawmakers Thursday. Secretary of State Kate Brown is asking the Legislature’s Emergency Board for approval to move money to cover the $176,223 cost for investigating and fixing the problem.

The secretary of state’s office has more than 1,300 types of software, said Tony Green, an agency spokesman. Many update automatically, but some require staff to manually download updates.

“We are working toward a solution to remove the human element and provide for an automated method for providing patching updates,” Green said.

Officials wrote that encrypted, personally identifiable data was stored on the computers, but they didn’t identify the type of information, citing security concerns.

About a quarter of the money the agency said it spent on responding to the attack went to overtime for 17 employees. It also bought new hardware and software, including a vulnerability management tool that tracks software update needs. It paid $72,000 to Virtual Security Research LLC for an analysis of network vulnerabilities and training. Another contractor handled communications with people who had information stored in the affected databases. About $5,000 was spent on lodging for four employees who stayed in Salem, so they could work through a snowstorm.