Los Angeles County has begun notifying 756,000 individuals that may have had their personal information compromised during a phishing attack on LA County employees in mid-May this year.
The attack occurred on May 13, 2016, when 1,000 LA County employees received phishing emails. Of those employees, 10.8% were successfully phished, leaving many concerned with the large number of impacted victims by such a small phishing success rate.
The County of Los Angeles Chief Executive Office released a statement last Friday claiming the information compromised may have included first and last names, dates of birth, Social Security #’s, driver’s license and state identification numbers, payment information, bank account information, home addresses, phone numbers, and/or medical information.
Those individuals affected by this attack would have been through their contact with the Assessor, Chief Executive Office, Children and Family Services, Child Support Services, Health Services, Human Resources, Internal Services, Mental Health, Probation, Public Health, Public Library, Public Social Services and Public Works.
Even more shocking, it took seven months for the county to disclose the breach to the public. County official took advantage of the exemption from disclosure laws that allows delayed notification if necessary to protect ongoing legal investigations. With support from the District Attorney’s Office, “notification of the potentially affected individuals was delayed to protect the confidentiality of the sensitive, ongoing investigation and prevent broader public harm.”
The LA County DA’s office also announced on Friday that they successfully completed the investigation into this incident and have filed charges against Austin Kelvin Onaghinor, a 37-year-old Nigerian national. Onaghinor is being charged with nine counts including unauthorized computer access and identity theft.
The State of California’s District Attorney General, Kamala D. Harris, released a report, The State of California Data Security Breach Reporting, earlier this year recommending the Center for Internet Security’s Critical Security Controls (CSC) as the baseline for implementing reasonable security measures under California law. Furthermore, Harris claimed that “failure to implement all the CIS Controls that apply to an organization’s environment constitutes a lack of reasonable security.”
As one of a handful of CIS Certified Vendors, NNT has access to security configuration benchmarks, software, metrics, and discussion forums where NNT is an essential stakeholder in collaborating on security best practices. We have leveraged these practices and resources in our products to measure and improve the security of our customers.
Read this article on SecurityWeek