Investigation into cyberattack on New Mexico department continues as state committee prepares to meet

Cybersecurity experts and state personnel continue to investigate an incident that led to unauthorized access at New Mexico's Regulation and Licensing Department.

The department remains fully operational despite the attack and the ongoing investigation, said Renee Narvaiz, the public information officer for the state's Department of Information Technology.

Officials discovered the incident on Oct. 7, she said, adding that officials are confident that any unauthorized access has been isolated and mitigated.

The Associated Press first reported on the incident last week.

New Mexico's Regulation and Licensing Department oversees more than 500,000 individuals and businesses in 35 industries, professions and trades across New Mexico. The department is operational and is "doing everything necessary to service our customers and get all our electronic systems fully functional," Narvaiz said in an email to Albuquerque Business First.

When asked if the state had reached out to the FBI, Narvaiz said that an investigation into the matter is ongoing and that "all proper reporting has or will take place."

New Mexico agencies are working to make sure adequate protections are in place to prevent personally identifiable information of employees and RLD customers from being compromised.

The Regulation and Licensing Department has begun to notify individuals and organizations whose records may have been accessed and will provide data breach assistance and credit monitoring. The department has set up a hotline at 833-550-4100 for those with questions and a webpage with additional information.

“Cybersecurity is of utmost importance to the State of New Mexico,” said State Chief Information Security Officer Raja Sambandam. “We are working diligently with RLD and all other state agencies to continuously improve their cybersecurity posture to protect the state and the people of New Mexico.”

Cybersecurity incidents across New Mexico have piled up since January. Some, such as an incident that affected TriCore Reference Laboratories and Albuquerque-based First Choice Community Healthcare Inc., occurred after an unauthorized third-party accessed a vendor’s computer system.

Others — like Bernalillo County, Albuquerque Public Schools, First Financial Credit Union, Goodwill Industries and La Fonda on the Plaza in Santa Fe — were attacked directly.

One aspect working in the Regulation and Licensing Department's favor — the agency had multi-factor authentication in place prior to the incident, Narvaiz said.

Multi-factor authentication requires a user to provide a password and one other method of verification before gaining access to a computer or network.

Narvaiz said the Regulation and Licensing Department is working to enhance those systems even further.

The investigation is unfolding as a new committee formed to study the state's cybersecurity preparedness has posted an agenda for its first meeting on Friday.

The Cybersecurity Planning Committee consists of 12 people that Lujan Grisham appointed, and includes a mix of individuals from across the state. The members include: