HR/CMS Credential Harvesting Incident
Good evening,
As you may have seen, the HR/CMS Employee Self-Service Time and Attendance (SSTA) system was unavailable for a period of time yesterday and today (October 8-9, 2024).
What happened?
The Commonwealth of Massachusetts is investigating an apparent credential harvesting campaign involving the HR/CMS Employee Self-Service Time and Attendance (SSTA) system. A credential harvesting campaign is a cyberattack technique that involves stealing personal or financial data from users. In this case, a fake website was created that resembled the SSTA portal. Some employees used this website, believing it to be the correct website, and entered their SSTA username and password, allowing for unauthorized access to their user account and direct deposit information.
HR/CMS Employee Self-Service, including Time and Attendance, was disabled temporarily as a precaution to secure state employee information.
What is known at this time?
HRD, EOTSS and the Comptroller have taken immediate and appropriate steps to secure user accounts and initiate an investigation. Safeguards in place within the SSTA system alerted impacted employees immediately.
Has the Commonwealth’s full HR/CMS system been compromised?
There is no evidence indicating any compromise of the full system. The compromised accounts are the result of user error entering their credentials into a spoofed website.
Please note that all potentially impacted employees have been contacted.
You may also refer to the instructions below to confirm that your Direct Deposit information is correct.
Will payroll go out on time?
Payroll will not be affected and will still go out this week. Out of an abundance of caution, some employees who made a change to their direct deposit information in HR/CMS between October 1 and October 8 will receive a paper check. Affected employees have been notified separately by the Office of the Comptroller and will receive a paper check for this pay cycle.
What actions should I take to ensure I do not use an unauthorized site?
- Only to log into HR/CMS Employee Self-Service Time and Attendance through a trusted link posted on Mass.gov or website internal to your department/agency.
- You may wish to bookmark the HR/CMS Employee Self-Service Time and Attendance URL: https://hrcms-prod.mass.gov/
- Avoid searching for HR/CMS Employee Self-Service Time and Attendance on Google, Bing, or another search engine. This is risky, as search results may lead users to a spoofed site that can steal credentials, such as your username and password.
- Consider taking this opportunity to change your password by logging into HR/CMS Employee Self-Service Time and Attendance.
Important Cybersecurity Reminders
- Cybersecurity starts with the end-user. Before clicking on any links in an email, verify the sender’s identity.
- To protect against phishing attacks, never open suspicious email or download unknown content. Report all suspicious emails to your Chief Information Officer. For those in the executive branch, report to the Security Operations Center (SOC) at [email protected].
- Guard your state credentials: use complex, unique passwords; never enter your state credentials when prompted to via email. Change your passwords frequently and use multifactor authentication.
- Official government websites are hosted on a .gov domain. The spoofed website, in this case, had a non-.gov URL. Massachusetts web services are ONLY hosted at mass.gov, as indicated by the brand banner that says “an official website of the Commonwealth of Massachusetts” at the top of each page on mass.gov.
How can I confirm that my direct deposit information is correct?
You can confirm your direct deposit information in HR/CMS Self-Service. From the homepage, click on the Payroll tile. Then, click on the Direct Deposit tile.
If your direct deposit information is incorrect, or if you receive notice of an unauthorized direct deposit change, immediately contact your payroll department or, if your agency participates, the MassHR Employee Service Center at 1-617-979-8500 or [email protected].