[BreachExchange] California Controller’s Office suffers data breach after employee fell for phishing email

[Destry Winant]

https://siliconangle.com/2021/03/23/california-state-controllers-office-suffers-data-breach-employee-fell-phishing-email/

The California State Controller’s Office is the latest victim of a data
breach, with the records of about 9,000 people stolen.

The data breach was caused by a phishing attack in which an employee of the
State Controller’s Office Unclaimed Property Division clicked on a link in
an email they and then entered a user ID and password as prompted. Having
done so, the employee provided the login details to “an unauthorized user”
who then had access to the employee’s account March 18 and 19.

The stolen data involved personal information contained in unclaimed
property holder reports. In addition, the State Controller’s Office also
notes that the unauthorized user also sent potentially malicious emails to
some of the employee’s contacts.

The State Controller’s Office noted in its data breach report that the
breach was discovered promptly and access removed. A review took place and
anyone who may have been affected has been notified.

Although the official statement plays down the breach, Krebs on Security
reported, based on an unnamed source, that it failed to mention that the
breach included access to the employee’s Microsoft Corp. Office 365 files
and potentially any files shared with that account across the network.
“This isn’t even the full extent of the breach,” the source told Krebs.

“Many of the most devastating cyberattacks in history have started with a
link to a phishing URL,” Ralph Pisani, president at security management
platform provider Exabeam Inc., told SiliconANGLE. “A carefully crafted
email containing a malicious link can fool even the most security-aware of
employees. As soon as it is clicked, the clock begins ticking as hackers
move laterally throughout the network to extract as much information as
possible.”

The adversaries were in the system only for 24 hours but were able to steal
Social Security numbers and sensitive files on thousands of state workers,
he added. “All of this information was used to send targeted phishing
messages to at least 9,000 others and their contacts.”

Purandar Das, co-founder and chief executive officer at data security firm
Sotero Inc., noted that even a seemingly innocuous malicious attack can
enable attackers to gain insights and valuable information that can be used
to cause long-lasting damage to consumers and organizations.

“The security focus for organizations has to evolve to be data-centric
regardless of where it is stored,” Das added. “As important as perimeter
security is, securing data regardless of location has to become the
objective. Organizations have to start planning and deploying data-centric
security solutions assuming that the perimeter can and will be breached.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210324/1c0830b7/attachment.html>