Phishing email scams 108 government employees, 756,000 people affected by breach

A single Phishing email scammed 108 LA County employees

phishing threat

On Friday, The LA County Chief Executive Office issued a public notice that 756,000 Californians were going to be receiving breach notification letters, after a single Phishing email scammed more than one hundred county employees.

The notice also said a warrant has been issued for the Nigerian responsible for the Phishing attack.

Earlier this year, on May 13, 108 LA County employees received a Phishing email, which eventually led them to disclose usernames and passwords. The attack was discovered a day later.

LA County has a total population of more than 10 million people, with more than eighty incorporated cities, including Los Angeles, Inglewood, Long Beach, Santa Clarita, Pasadena, and Burbank.

The context of the Phishing email wasn’t disclosed, so nature of the lure that prompted the employees to release their credentials is unknown. Salted Hash has reached out to LA County for additional information.

Investigators said the email was sent by Austin Kelvin Onaghinor of Nigeria, and an arrest warrant was issued by prosecutors. However, it isn’t clear what information was discovered during the investigation that led law enforcement to Onaghinor.

While there isn’t any evidence the information exposed by the Phishing attack has been released to the public by Onaghinor or anyone associated with him, county officials are still going to notify 756,000 people who had contact with the agencies that were compromised.

According to the statement, anyone who had contact with the LA County Assessor’s office, the Chief Executive Office, Probation, Public Social Services, Children and Family Services, Child Support Services, Health Services, Mental Health, Public Health, Human Resources, Internal Service, Public Library, or Public Works, is potentially impacted by the incident.

The information possibly exposed by the compromised employee credentials includes base PII (first and last names, date of birth, Social Security numbers, addresses, and phone numbers), as well as driver’s license or state ID numbers, payment card and banking information, medical information (Medi-Cal or insurance carrier ID number), diagnosis, treatment history, and medical record numbers.

The county says that it will offer identity monitoring for everyone impacted by the incident. Speaking to the delay in notification, the LA County statement says that law enforcement requested notifications be withheld while the case was being investigated.

In response to the attack, the notice says LA County has “initiated an administrative review and implemented additional controls to minimize the risk of future Phishing attacks against county email accounts, as well as enhanced specific employee training to identify and respond to Phishing attacks as part of the county’s ongoing cyber-security awareness campaign.”

Copyright © 2016 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.