The superintendent of New Mexico's Regulation and Licensing Department on Tuesday told state legislators that it wasn't necessarily a weakness in software or hardware that led to a cyber incident uncovered in October.
Rather, it was human instinct.
"The weakness is us," Linda Trujillo said before members of the Legislative Finance Committee during a hearing at the state Capitol.
While Trujillo didn't share with legislators what caused the incident in October, she laid out a scenario in which an email arrives asking someone to purchase a number of gift cards and send them to a particular address. The email, however, is a phishing scam and an attempt to either steal money, gain access to a computer network or both.
"Believe it or not, people do those things," Trujillo said while answering a question from New Mexico Sen. Nancy Rodriguez (D Santa Fe) about the NMRLD's budgetary request in advance of the start of the 60-day 2023 legislative session on Jan. 17. NMRLD oversees more than 500,000 individuals and businesses in 35 industries, professions and trades across New Mexico.
While details about the cybersecurity incident that was uncovered on Oct. 7 remain sparse, what is known is that it led to some level of unauthorized access. Four days later — on Oct. 11 — the department began to notify all individual or organizational licensees that they may have been impacted, according to a NMRLD statement. The investigation is ongoing.
It is unclear if ransomware was a factor in the incident.
The department has remained "fully functional" since the incident, though some of the divisions reverted to accepting paper applications, NMRLD spokeswoman Bernice Geiger told Albuquerque Business First earlier this month.
"But nothing has stopped," she said.
Securing money to develop strategies to stop changing internal and external cybersecurity threats was a priority in Trujillo's presentation to legislators. In the strategic plan, she highlighted the need for $3.5 million for response and recovery expenses associated with the October incident.
That figure includes $1.6 million for incident response contracts, $1.2 million to replace hardware and upgrade software, about $500,000 to update online licensing and renewals for six regulated industry sectors and about $260,000 toward credit monitoring.
Overall, Trujillo hopes to be able to add safeguards against social engineering attempts, which she said present significant challenges to state and local governments as well as private businesses.
"What we really need to do is have the software and hardware that detects [phishing attempts] in minutes, because prevention, there is only so much prevention you can do," Trujillo said. "What you really have to be able to do is to be able to identify that kind of social engineering when there is that kind of breach because within days or hours — you are too late."
