Phishing Attack Exposes Sensitive Data at California AgencyIncident Raises Cybersecurity Questions, Experts Say
A phishing attack that targeted a unit of the California State Controller’s Office, exposing Social Security numbers and other sensitive information, should raise questions about the type of security deployed by the agency and prompt a fresh examination of its cybersecurity plans, some security experts say.
This week, the state controller's office published a breach notification on its website, and shared it with the California Attorney General's Office.
The phishing attack, which occurred March 18-19, appears to have targeted an employee of the office's Unclaimed Property Division, which manages about $10 billion worth of lost or forgotten property, such as bank accounts, stocks, bonds, uncashed checks, insurance benefits, wages and the content of safety deposit boxes.
The notification states that personally identifiable information exposed includes names, Social Security numbers, dates of birth, addresses and the value of property turned over to the agency.
Since discovering the breach, the state controller's office has contacted more than 9,000 California residents whose data may have been exposed as well as another 9,000 who were listed in the employee's contact list and received emails during the two-day attack. This group included businesses that have reported unclaimed property to the state as well as state workers, says Jennifer Hanson, a spokesperson for the state controller's office.
In the breach notification, officials say that the employee clicked on the phishing email and gave the attacker access to the account.
"The spear-phishing email was received by one [state controller's office] employee who entered their credentials, which triggered the attack. No malicious code or malware has been detected," Hanson says, adding that California law enforcement, including the state attorney's general office, has been notified.
Factors to Investigate
The government agency needs to determine if the attacker may have gained access to additional systems or if other employees clicked on phishing emails as well, says Mike Hamilton, the former CISO of Seattle who's now the CISO of CI Security.
"From a CISO's perspective, I would want to find out immediately how broadly the phishing e-mail was distributed … to whom else it was delivered, followed by ensuring that none of the other recipients gave up credentials," Hamilton says.
Hamilton also says the agency should notify any external organizations that may have had their email systems compromised, including commercial services such as Gmail, to make sure they monitor and remove accounts connected to the attack.
"If there were web properties involved, [the agency should] notify either the owner of a compromised site or the operator of a domestic data center from which the campaign is being conducted," Hamilton says.
James McQuiggan, a security awareness advocate at KnowBe4, says that following this type of phishing attack, government organizations should immediately add an extra layer of security even before the investigation is finished.
"It is a solid recommendation to implement … multifactor authentication to add an extra layer of protection when it comes to email," McQuiggan says.
He also says government agencies should review their incident response plans to ensure they are up to date.
"Incident response plans for ransomware, phishing attacks or malware infections should be like recipes that can be replayed and tested through tabletop exercises. These activities can reduce downtime and support mitigating the risk of data loss and damage to the organization's brand and bottom line," McQuiggan says.
Hamilton says an updated incident response plan should offer guidance on tracking down whether the employee who was phished shared credentials with other workers and whether that could have exposed any additional records or documents.
Prompt notification of individuals is essential when highly sensitive data stored by government agencies, such as the California Unclaimed Property Division, is exposed, says Andrew Barratt, the managing principal for solutions and investigations at security consulting firm Coalfire.
"Rather than try to take the long view on identity fraud of individuals, there may be a much more significant payday by using that information to potentially gain access to estates or other unclaimed securities or valuables," Barratt says. "Having access to all the information may make it easier for fraudsters to make rogue claims against these assets or build up identities that could plausibly look like the rightful heir, and the state controller's office could inadvertently be giving away unclaimed assets to fraudsters for years."
McQuiggan adds: "With this type of breach, the attacker was able to gain access to the user's account for about 14 hours. While it might seem like a short amount of time, the attacker had access to all email accounts. Since the data was related to confidential and personally identifiable information, the organizations need to report it to law enforcement authorities to coordinate the response and action plan to communicate to those impacted by the data loss."
Limits of Training
Barratt notes that the state controller's office is likely to institute new phishing awareness training for employees, but because attacks are constantly evolving, such training may have a limited impact (see: Internet-Enabled Crime: 2020 US Losses Exceed $4.2 Billion).
"Other controls are to ensure that multifactor authentication is in pervasive use, to ensure that the endpoint agent on employee-managed computers is capable of identifying aberrational behavior and that the organizational monitoring tools are capable of identifying logins from sources that have never been seen prior."