author photo
By Bruce Sussman
Mon | Jan 13, 2020 | 7:30 AM PST

Can you imagine the snickering around the office on this one?

"Hey boss, I couldn't watch my security awareness training course because the website got hacked!"

Now that's an awkward conversation for the security team to have.

Online learning hack halts security awareness training

More than 4,000 employees at the Oregon Health Authority cannot take their mandatory security and privacy awareness module because the state's iLearn portal was hacked and has been offline for a couple of weeks now.oregon-learning-website-attack

The employees are also waiting to take online modules related to Oregon ethics law and public records.

Hack of online learning site impacts corrections officers

As an example of how disruptive something like this can be, you can look to the Oregon Department of Corrections. More than 5,000 employees and contractors have missed a crucial training window.

According to the Salem Reporter, this window only happens once a year.

The agency was to be conducting in-service training this week that included a 12-hour block for online courses. Since the trainings were unavailable, [physical] security employees had to either use vacation time to await the training or return to work at their respective facilities. 

"Due to the nature of our business, this is often the only time our security staff can complete the training online due to work assignments within our institutions," says Michael Beagen, state Department of Corrections training coordinator.

"This will have a prolonged impact, as a future relief factor will need to be implemented in order for those staff who were unable to complete their online training during their in-service week will need to be relieved from posts in order to do so."

Learning portal hack: what we know

According to the Oregon Department of Administrative Services, the attack involved a previously unknown exploit against the state's website on Christmas Day. 

[RELATED: Hackers like to hit on holidays]

Says the Salem Reporter:

"No information was compromised, but the training site was shut down until the state and the program vendor—Meridian Knowledge Solutions—can fix the vulnerability and ensure its security."

Meridian Knowledge Solutions says it provides "Learning Solutions for Highly Regulated Industries."

In this case, learning is on hold.

The State of Oregon has extended training deadlines for impacted employees to January 31.