Arizona agencies possibly exposed in LastPass data breach
Multiple state agencies, including the Arizona Department of Homeland Security and state’s Medicaid provider, may have had their passwords and login credentials exposed in a breach of the popular password management software LastPass.
The Arizona Department of Administration confirmed to the Arizona Mirror that the Department of Homeland Security, the Arizona Health Care Cost Containment System and the Arizona Department of Financial Institutions had paid subscriptions to LastPass.
LastPass has come under intense scrutiny for a series of disclosures over recent months that culminated in a blog post that revealed a hacker gained internal company access to the company’s corporate vault by targeting the home computer of one of its employees. That employee had decryption keys which are needed to access cloud storage data where sensitive information is held.
That employee, a LastPass engineer, had his master password captured by a piece of software installed on his computer called a keylogger, which then bypassed LastPass’ multi-factor authentication protections and gained access to the corporate vault.
According to the blog, once inside the vault, the hacker stole the keys that would allow them to access “production backups, other cloud-based storage resources, and some related critical database backups.”
ADOA spokeswoman Megan Rose told the Mirror that an official communication went out referencing LastPass’ issues on March 3, two days after the Mirror first asked which state agencies were using the software. Rose added that discussions have been happening “at regular meetings” since the first public notice of the breach last summer.
LastPass first disclosed that there was a breach in August 2022, with the company saying that hackers stole part of their source code and it was actually the second time the company had been hit.
The March 3 memo sent to Arizona state government agencies, which ADOA provided to the Mirror, is from the state’s chief privacy and compliance officer, who works at the Department of Homeland Security. It was addressed to all state agency information security officers and chief information security officers.
The memo mentions the August breach, as well as the disclosures LastPass made earlier this month. It states that DHS is recommending all state agencies utilizing LastPass to perform a forced master password reset of all LastPass user accounts as a “precautionary measure.” It also included configuration recommendation settings for LastPass.
“It is important to reiterate that the state hasn’t seen any evidence of irregular activity,” Rose said in an email to the Mirror.
But silence doesn’t always mean that nothing is happening, according to Dr. Ilia Kolochenko, the chief architect at cybersecurity firm ImmuniWeb and a professor of cybersecurity practice and cyberlaw at Capitol Technology University.
“Cyber mercenaries, they have absolutely no interest in exposing their intrusion,” Kolochenko said, adding that those who are hired by a criminal organization or state actor have an increased interest in making sure their trails are hidden. “This is something that cyber criminals and their clients are trying to avoid, so they are trying to make their intrusions as silent and invisible as possible.”
One way the effect of a breach such as this one can be measured is by seeing if login credentials or passwords are being sold on online forums on the dark web. However, Kolochenko said that in cases such as this one, that may also be more difficult.
More sophisticated hackers and sellers in the online criminal ecosystem will not openly sell their “high end” wares, only sharing that information with clients they trust or holding the information for their own personal use.
“It doesn’t necessarily mean that your data is not being sold somewhere and to someone,” Kolochenko said about not finding the state’s data on black market forums. The Mirror checked several forums popular with selling of stolen data but did not find any selling Arizona data related to the LastPass breach.
The Arizona Attorney General’s Office refused to comment if an investigation into the breach had been launched. In Arizona, if a data breach impacts more than 1,000 residents, then the company is required to notify those affected, the AG, the Department of Homeland Security and the three largest consumer credit reporting agencies. There are penalties for companies that fail to notify properly.
Kolochenko said that Arizona residents that may have interfaced with state agencies like AHCCCS or the Department of Financial Institutions should immediately change their passwords and engage two-factor authentication on all their accounts. Kolochenko also suggested that Arizona residents should monitor their credit, as the first attack of many hackers is lines of credit.
It is currently unknown the entire scope of the LastPass breach and if Arizona credentials were exposed.
“While we do not, as a rule, comment on individual interactions with customers, we are committed to addressing concerns from all customers and to directly discussing any further steps they may need to take in response to past incidents,” LastPass said in a statement.
“As you may be aware, LastPass has already taken steps to notify all customers of the incident, as well as subsequent blog updates. And we will, of course, remain committed to complying with any related legal or regulatory requirement,” the statement added.
Kolochenko believes that the impact on governments will not be as impactful but he is also not entirely sure. Some companies start “rapidly ringing the bell” on data breaches, only to find that a small number of users were ever impacted, while others fail to disclose until it is too late.
When it comes to LastPass, Kolochenko said that he believes they fall “somewhere in the middle.”
This report was first published by the Arizona Mirror.