Ten members’ Bucks redeemed by person other than plan holder
FRANKFORT, Ky. (May 19, 2017) — On April 5, 2017, the Personnel Cabinet learned that a security breach of Go365 accounts had occurred, resulting in 10 Kentucky Employees’ Health Plan members’ Go365 Bucks being redeemed by someone other than the plan holder.
The breach was discovered following the vendor’s recognition of an excessive number of login failure attempts from foreign IP addresses. After investigating, Go365 determined that the unauthorized persons used a large external source of credentials (passwords and user IDs) that did not come from Go365. Using these credentials, the unauthorized persons accessed the accounts of certain Go365 members and procured gift certificates by redeeming the members’ incentive “bucks.” This practice of assuming the identity of another person to accomplish a goal, such as use of stolen authentication credentials to impersonate a user, is called “identity spoofing.”
Go365 determined that 10 KEHP members’ incentive bucks were redeemed as a result of the incident. Go365’s investigation identified 235 additional KEHP members whose accounts may have been inappropriately accessed, but no bucks were redeemed.
Go365 telephoned the 10 impacted members to advise them about the incident and the fact that Go365 was replenishing the members’ incentive bucks. In addition, Go365 is sending notification letters to all impacted members. At its own expense, Go365 partnered with Equifax to provide its Credit Watch Gold with 3-in-1 monitoring identity theft protection product for one year at no charge to KEHP members impacted by this incident.
This incident did not result from a failure of the Commonwealth’s network, e-mail, or human resource information system. The Personnel Cabinet and Go365 take these incidents very seriously and employ technologies to help reduce such risks. To protect against identity spoofing, both the Personnel Cabinet and Go365 recommend that employees and KEHP members change their password on a regular basis and utilize different user credentials for access to multiple websites.