AZ lawmakers hacked, see message in Russian

Arizona lawmakers got hacked this week. And when they clicked the link to change their password, a screen with Russian writing popped up.

Arizona Chief Information Security Officer Mike Lettman sent an email to legislative staff Friday night alerting them to the issue. According to the email, multiple senators or staff received an email that appeared to be from the state's human resources and payroll system asking them to reset their password. When some clicked on the link, they received a screen in Russian.

"At this point at a minimum anyone who clicked on the link or changed their HRIS (Human Resources Information Solution) password has their login and password compromised," Lettman said in the email. "In addition clicking on the link may have compromised their desktop or laptop was infected to begin with."

He said in the email that the Arizona Department of Administration has shut down all external access to the system until the extent of the problem is determined. The system handles HR and payroll issues for 40,000 state employees and calculates $2.5 billion in annual payroll, according to the ADOA website. It's unclear if other state employees were also impacted.

Several state lawmakers confirmed they had received the warning email, and that they couldn't get into the payroll system this weekend. None said they had clicked on the phishing email.

Wendy Baldo, the Senate chief of staff, said at least two people on her staff got an email from HRIS late in the week telling them their password would expire soon and they needed to change it.

Senate Republican Assistant General Counsel and Policy Advisor Jeff Kros was one of them. When he hit the “change password” prompt, it came back in Russian.

Baldo said she then looked at her email, found the same email and checked it out with the same result.

“I  got prompted to change it and the instructions came back in Russian,” she said.

She contacted ADOA, and they contacted the legislative attorneys, who then notified lawmakers and legislative staff.

Aside from a message from Legislative Council, which oversees legislative communications,  Baldo said she has not heard anything further about the origin of the email. And although the apparent hack happened just days before the legislative session opens, she doesn’t expect major problems.

“I don’t expect any big interruptions, it’s just a crazy thing that happened," she said.

According to Arizona Department of Administration's initial assessment, the issue was isolated to about 100 people at the state Legislature and there is no evidence at this point that anything other than login information may have been compromised, department spokeswoman Megan Rose said. The system will be brought back online at 8 a.m. Monday and closely monitored while the investigation continues. IT officials will conduct a forensic analysis on the legislative network and individual computers to determine what was compromised.