1 in 3 Michigan workers tested opened fake 'phishing' email

March 16, 2018 by David Eggert
Credit: CC0 Public Domain

Michigan auditors who conducted a fake "phishing" attack on 5,000 randomly selected state employees said Friday that nearly one-third opened the email, a quarter clicked on the link and almost one-fifth entered their user ID and password.

The covert operation was done as part of an audit that uncovered weaknesses in the state government's computer , including that not all workers are required to participate in cybersecurity awareness training. Phishing schemes—in which hackers try to deceive email recipients by posing as legitimate entities—can lead to identity theft and other problems.

Phishing was how Russian-linked players stole the emails of Hillary Clinton's presidential campaign chairman John Podesta.

Michigan's Office of the Auditor General made 14 findings in the audit, including five that are "material"—the most serious. They range from inadequate management of firewalls to insufficient processes to confirm if only authorized devices are connected to the network.

"Unauthorized devices may not meet the state's requirements, increasing the risk of compromise or infection of the network," the audit said.

The Department of Technology, Management and Budget agreed with many of the findings while partially concurring with some. It said the auditors' phishing email was reported to a "security tips" mailbox multiple times and there are other controls that may limit the effectiveness of such attacks.

The agency added that it is formalizing a standard that adopts industry best practices for secure configurations, estimating it will be done in April.

"The data held within the state government network is safe and secure due to the many layers of protection in our security ecosystem," said spokesman Caleb Buhs, who said the state has already begun implementing many of the auditors' recommendations. "This audit provides us with a good roadmap for prioritizing future technology infrastructure investments."

The audit, which covered a three-year period between 2014 and 2017, said the state did not fully establish and implement an effective process for managing updates to network devices' operating systems. Ten high- or medium-severity vulnerabilities were identified.

Overall, Auditor General Doug Ringler deemed state's efforts to design, administer and monitor a secure IT network as "moderately sufficient."

A Democratic critic of Gov. Rick Snyder's administration, Senate Minority Leader Jim Ananich of Flint, said "there is just no excuse for why Michigan's top officials have failed to protect our state from hackers."

Explore further: When fee-pressured audit offices focus on non-audit services, financial statements suffer

More information: Audit: bit.ly/2IwhmAe

Related Stories

Audit: Air traffic systems vulnerable to attack

May 6, 2009

(AP) -- The nation's air traffic control systems are vulnerable to cyber attacks, and support systems have been breached in recent months allowing hackers access to personnel records and network servers, according to a new ...

To fend off hackers, local governments get help from states

December 12, 2017

The city of Mill Creek, Wash., has only 55 full-time employees and just one of them—James Busch—is responsible for handling information technology and cybersecurity. He worries about the growing sophistication of hackers ...

Recommended for you

Archaeologists discover Incan tomb in Peru

February 16, 2019

Peruvian archaeologists discovered an Incan tomb in the north of the country where an elite member of the pre-Columbian empire was buried, one of the investigators announced Friday.

What rising seas mean for local economies

February 15, 2019

Impacts from climate change are not always easy to see. But for many local businesses in coastal communities across the United States, the evidence is right outside their doors—or in their parking lots.

The friendly extortioner takes it all

February 15, 2019

Cooperating with other people makes many things easier. However, competition is also a characteristic aspect of our society. In their struggle for contracts and positions, people have to be more successful than their competitors ...


Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.