Local News

Cyberattack disrupts veterans benefit program

Breach delays millions in benefit claims

ILLINOIS (WCIA) -- A malicious cyberattack, launched in early July, paralyzed a statewide computer program built to help veterans claim their government benefits.

The outage blanketed the state for at least six weeks and disrupted thousands of claims likely worth several million dollars, according to state records obtained under the Freedom of Information Act. Veterans were left to fill out pages of tedious paperwork and submit their claims on fax machines. The logjam delayed benefit claims which run the gamut, including drastic reductions in processed medical claims for wounded veterans, burial benefits for surviving family members and pension benefits for widows. 

The Illinois Department of Veterans' Affairs was one of several state agencies which had not completed a recommended cybersecurity upgrade when the phishing attack brought the CyberVet system crashing down on July 3. 

"Within hours of when we realized there was a problem, the IT department here was able to stop it, control it," said Dave MacDonna, a spokesman for the department. "Unfortunately, it required a longer process than we wanted." 

The program was back online by August 13, but MacDonna said some VA locations were still unable to use CyberVet as recently as last month. 

IDVA director Erica Jeffries was unavailable for an interview, but in a press release issued on July 5, she wrote she was "pleased with our staff's prompt response to this incident," which she claimed would restore service "in the most rapid and secure means possible." 

Former director Roy Dolgos told WCIA the CyberVet program was a big hit with veterans, largely because it removed a series of obstacles and headaches often associated with filling out pages of forms and paperwork. 

"After a while, the veteran just says, 'Screw it, I don't want to do it anymore,'" Dolgos said. 

Stranded without access to their computers and some without internet, Veteran Service Officers worked overtime to fill out as many claims as they could on paper. Now that the program is back up and running, many of those claims are still waiting to be submitted online. Army veteran Justin Jennings works at the Springfield location and says he still sees a staggering amount of wounded combat veterans come in to claim benefits for the first time. 

"We get Vietnam vets in here all the time," Jennings said. "We just had four come in with Agent Orange this week alone." 

Jennings says the aging population of World War II and Korean War veterans keeps a steady stream of widows coming in to claim burial or pension benefits. Many of them have little experience with a computer and even less patience for pages of paperwork dotted with fine print. 

IDVA handed over some of the documents and data requested in a series of FOIA orders, but withheld financial reports which would reveal the total cost of benefits claimed during the outage. The department also redacted sensitive medical information and withheld other agency emails exchanged during the crisis, claiming those emails could contain malware and might still pose a risk. Requests for screenshots of those emails or an opportunity to view them on a state computer were denied. Outstanding FOIA orders, filed with the Department of Innovation and Technology, could soon reveal even more details about the scope and cost of the intrusion. 

Though it's difficult to pin down a precise figure associated with the breach, IDVA cover sheets titled "Supervisor Daily Interview Record" give a glimpse of the damage in the form of monthly averages that tally total benefit claims processed during Fiscal Years 2015 - 2018. By comparing this year's progress to the last three years on record, a foggy picture of the damage starts to come together.

According to IDVA, the FY2018 report is current as of mid-December. However, nearly halfway through the fiscal year, the total figures and monthly averages in FY2018 are far behind the number of claims filed in previous years. 

Veterans Compensation benefits are down 57 percent; Widows Pension benefit claims are 45 percent behind where they were last year; Veterans Pensions idle at 48 percent below FY17 figures; VA Education benefit claims lag 65 percent behind; DOD Combat Related Special Compensation claims suffered at a rate of 60 percent on average; Monthly Discharge/Medal claims were filed 73 percent slower after the July cyber attack; Also stuck in a 73 percent nosedive are death benefits for veterans killed in the line of duty and burial benefits granted to surviving family members; VA Insurance claims are down 62 percent so far this fiscal year.


Until the summer security lapse, CyberVet was on its way to becoming a bright spot in an otherwise beleaguered administration. Even during the unprecedented state budget impasse, the Department of Veterans' Affairs was consistently improving its annual benefit claims. But the cyberattack brought that streak to an end.

The breach surfaced at an inopportune time for an administration mired in turmoil. The lone public notice of the cyberattack went largely unnoticed. It was published the day after a national holiday; one day before state lawmakers would rally to squash Governor Bruce Rauner's budget veto. The legislative defeat sparked a chaotic reshuffling within Rauner's office that was still simmering and unresolved by the time CyberVet was back online. To date, the governor's office has not commented publicly about the disruption in service and declined to comment for this story, deferring to the agency heads involved. 

A DoIT investigation has not yet yielded any results and is unlikely to ever identify the perpetrator. Phishing malware can be easily purchased or rented on the dark web, and hackers can quickly cover their tracks by disposing of the domain names they deploy to fool their victims. 

"While cybersecurity threats always exist, this particular incident is considered resolved," said DoIT spokeswoman Jennifer Schultz. 

She said, while the attack impacted an entire agency and all of the Veteran Service Officer locations scattered across the state, it did not spread to other networks. Computer systems for the Department of Veterans' Affairs are networked with the Secretary of State's systems, but DoIT says those systems remain unaffected. 

"DVA is more cybersecure than prior to the incident," Schultz said. "The entire network was rebuilt, modernized and is now 100 percent managed on an enterprise level." 

Phishing attacks typically appear in the form of a link or an attachment, often in an email. Once a user clicks the malicious content, that device and others on the network can be in danger. Cybersecurity experts say phishing attacks are easy to carry out and hard to trace, but several effective safety measures have existed for at least a decade. 

Sender Policy Framework (SPF) protections can help network administrators identify the origin of an email to ensure it was sent from a legitimate source. Some technology experts prefer a DomainKeys Identified Mail (DKIM) system, which pairs a DNS public key with a private, encrypted digital fingerprint contained in the sender's email, and only allows the email to be accessed when the public-private keys match. It's unclear if the Department of Veterans' Affairs was using either of these widely accepted practices to guard against phishing attacks, but the agency was out of compliance with the state's recommended cybersecurity protocols when the attack occurred.

IDVA claims no veterans' personal information or private data was stolen in the incident. Veterans who believe their claim may have been delayed or interrupted are encouraged to reach out to the nearest VSO location to check the status of their claim. 

More Stories

Trending Stories

Latest News

Video Center