California State Comptroller’s office disclosed that a hacker illegally accessed personally identifiable information (PII) of about 9,000 people. The office said that an unauthorized user had access to an email account of one employee for at least 24 hours from 1:42 pm on March 18 to 3:19 pm the following day after a phishing attack.
The threat actor stole social security numbers and sent potentially malicious emails to at least 9,000 workers.
The Golden State’s comptroller’s office handles over $100 billion in public funds every year. It safeguards about $10 billion in lost or forgotten properties, safe deposit boxes, insurance benefits, checks, bonds, and stocks.
California State Comptroller’s office acknowledges leaking personal details
California State Comptroller’s office (SCO) spokeswoman Jennifer Hanson said that the state notified its employees of the data breach. The workers were targeted through malicious phishing emails by the unauthorized user.
“An employee of the California State Controller’s Office (SCO) Unclaimed Property Division clicked on a link in an email they received and then entered their user ID and password as prompted, unknowingly providing an unauthorized user with access to their email account,” the SCO’s data breach notification explained.
Phishing attack compromised California employee’s Microsoft Office 365 email account
Sources disclosed that the phishing attack compromised an employee’s Microsoft Office 365 files but did not compromise other users or files.
“SCO team members have identified all personal information included in the compromised email account and begun the process of notifying affected parties. The Controller is going over and beyond the notification requirements in law by providing both actual mailed notification and substitute notification in an effort to ensure the broadest possible notification,” SCO’s spokeswoman said.
She added that that the compromised email account had personally identifiable information associated with Unclaimed Property Holder Reports. Ms. Hanson directed the employees contacted through the hacked email to monitor their accounts and register fraud alerts with various consumer bureaus.
She also advised the employees to delete the phishing email and avoid clicking on any links included. The state also implemented additional undisclosed security measures to protect the affected employees.
The attackers stole financial information of thousands of employees according to an employee tracking the data breach with California’s IT team speaking to KrebsOnSecurity on the condition of anonymity.
Hackers could make fraudulent claims through identity theft
Hansom confirmed that the exposed information could allow fraudsters to lodge claims. She, however, noted that more information was required to complete the transactions.
“The unauthorized user did have access to information that could help someone submit a claim for unclaimed property,” Hanson told the Sacramento Bee. “However, in most cases, it would not be enough information for them to complete a claim.”
However, having part of the information could enable the attackers to execute successful phishing attacks against beneficiaries to collect the full information required for successful claims.
Sources said that the phishing email claimed to originate from an organization doing business with the state. The targeted employee had represented the state in the transaction. It seems that the attacker conducted an intensive preliminary investigation before executing the phishing attack.
James McQuiggan, a security awareness advocate at KnowBe4, says that the whole organization is at risk if one employee falls for a phishing attack.
“One user clicks a link and enters their credentials on a fake login page. Its impact is exponentially problematic for the organization, from loss of data to damage to their brand and potential revenue loss.”
He proposes that organizations should phish their employees regularly to confirm if they knew how to handle social engineering attacks.
“This event supports the issue that all organizations need to educate and phish their employees regularly to ensure they are aware of and know how to spot and report socially engineered emails.”
He also advocated for email tools that notify employees of external and potentially unsolicited emails.
“Organizations want to ensure they have the email feature to alert users of external emails. A banner or bolded text at the top of the email informing the employee that they are reading an external email, which alerts them to pay extra attention, as it could be malicious with attachments or phishing links.”
The proposed training would familiarize employees with email security procedures, making it their habit to check email links by hovering over them to establish if they were genuine.