Security News > 2021 > March > Phish Leads to Breach at Calif. State Controller
The phishers had access for more than 24 hours, and sources tell KrebsOnSecurity the intruders used that time to steal Social Security numbers and sensitive files on thousands of state workers, and to send targeted phishing messages to at least 9,000 other workers and their contacts.
"SCO has notified the employee's contacts who may have received a potentially malicious email from the unauthorized user. SCO team members have identified all personal information included in the compromised email account and begun the process of notifying affected parties. The Controller is going over and beyond the notification requirements in law by providing both actual mailed notification and substitute notification in an effort to ensure the broadest possible notification."
A source in an adjacent California state agency who's been tracking the incident internally with other employees says the SCO forgot to mention the intruders also had access to the phished employee's Microsoft Office 365 files - and potentially any files shared with that account across the state network.
The source claims the intruders stole several documents with personal and financial data on thousands of state employees, and then used the phished employee's inbox to send targeted phishing emails to at least 9,000 California state workers and their contacts.
Organizations hoping to improve internal security often turn to companies that help employees learn how to detect and dodge email phishing attacks - by sending them simulated phishing emails and then grading employees on their responses.
The CDT issued the following statement in response: "SCO informed CDT they have contained the phishing attack. The characterization of the CDT phishing exercise standard is incorrect. Before phishing tests in any state agency are performed, internal business units are advised to coordinate to avoid disruption or operational impact to public services. Supervisors and managers are routinely tested without advance notice to ensure employees at every level are aware of security hazards and can learn how to avoid them."
News URL
https://krebsonsecurity.com/2021/03/phish-leads-to-breach-at-calif-state-controller/