A hacker who phished the login credentials of LA County employees is believed to have compromised the personal data of over 750,000 people.
According to the Chief Executive Office of Los Angeles County, California, attackers stole the usernames and passwords from 108 County employees back in May 2016.
Some of these workers had individuals’ client or patient information stored in their email accounts per their work responsibilities. As a result, the County launched an investigation into the incident to determine how many people the attack had affected.
Joel Sappell, who heads communications for the County, provides the answer in a press release published on 16 December:
“An exhaustive forensic examination by the County has concluded that approximately 756,000 individuals were potentially impacted through their contact with the following departments: Assessor, Chief Executive Office, Children and Family Services, Child Support Services, Health Services, Human Resources, Internal Services, Mental Health, Probation, Public Health, Public Library, Public Social Services and Public Works.”
Why so long between the data breach and LA County warning potentially affected individuals? The County says that it was instructed by law enforcement to delay making any statements in fear that it might hinder a criminal investigation.
The information potentially stolen from those individuals is extensive. It consists of names, Social Security Numbers, payment card details, medical records, and other sensitive pieces of data.
In response, the County of Los Angeles is offering anyone affected by the breach with free identity monitoring. They can also contact a call center for more information about the incident.
At the same time, the County is taking a number of steps to find out what happened in the attack and prevent similar incidents from happening again.
First, it’s cooperating with the District Attorney’s Cyber Investigative Response Team to bring justice to those actor(s) who perpetrated the attack. So far, local law enforcement has issued an arrest warrant for Austin Kelvin Onaghinor, a 37-year-old Nigerian national, and charged him with nine counts, including identity theft and unauthorized computer access.
1,000 email users at LA County are said to have received a phishing email from Onaghinor, with 108 county employee email accounts affected.
Which leads us to the second step: The County is working to defending against future phishing attacks by implementing safeguards such as new security measures and employee awareness training.
Per a FAQ page on the County’s website:
“We are seeking to stay ahead of the rapidly evolving and continuous threats to our systems. The County remains vigilant in its efforts to protect confidential information and continues to strengthen the information privacy and security program to implement safeguards to prevent and/or reduce cyber-attacks.”
One would hope that they are also considering introducing some form of multi-factor authentication to prevent unauthorised remote access to employee email accounts.
Whenever they come across an email from an unfamiliar sender, users should treat the email as malicious until proven otherwise. They can then set out to verify the legitimacy of the email by checking the URLs for their destinations and looking out for any indications of urgency or too-good-to-be-true offers. It’ll only take a few seconds of their time, and it’ll help prevent a major headache should the email prove to be fake.
"They can then set out to verify the legitimacy of the email by checking the URLs…"
Many big organisations re-write URLs prefixing the destination with a web scanning service. It's entirely transparent: you click the link, a quick check is made to see whether that site contains malware, viruses or a phishing attack and if all is okay the user is seamlessly redirected. Most of the time the user isn't even aware of the background checks going on.
If the page contains something malicious then the user will be redirected to a warning page and given the option to proceed or totally denied access (depending upon corporate policy) to the destination URL.
These scanning systems provide highly effective zero-day protection and are offered by most of the major vendors (Microsoft, Proofpoint etc.)
Even if LA County didn't have this type of system in place, or if they used webmail, then the major vendors also provide protection. Google and Microsoft both provide anti-phishing warnings.
It seems like the combination of poor user education, ineffective information security policies and inappropriate systems were to blame here.