Sacramento, View of California State Capitol from 10th Street. (Andre m via CC BY-SA 3.0)
A California state agency was victimized by a phishing incident last week in which an employee clicked on a link that provided access to the employee’s account for some 24 hours.
During that time, the attackers allegedly stole social security numbers and sensitive files on thousands of state workers and then sent targeted phishing messages to at least 9,000 other state workers and their contacts, according to a report by KrebsOnSecurity.
The attack happened on the California State Controller’s Office (SCO) Unclaimed Property Division from March 18 to March 19.
In an announcement issued by SCO, officials said the improperly accessed email account was discovered promptly and access removed. SCO personnel in the Unclaimed Property Division immediately began a review of all emails in the account for personally identifiable information that may have been viewed. A notice was then emailed to all contacts who were sent an email from the unauthorized user, advising them to delete the email and not click on any links.
“This event supports the idea that all organizations need to educate and phish their employees regularly to ensure they are aware of and know how to spot and report socially-engineered emails,” said James McQuiggan, security awareness advocate at KnowBe4. “Organizations want to ensure they have an email feature that alerts users of external emails. A banner or bolded text at the top of the email informing the employee that they are reading an external email tells them to pay extra attention, as it could be malicious with attachments or phishing links.”Tim Wade, technical director of the CTO Team at Vectra, added that these phishing incidents are common, citing that in a recent Vectra survey, they found that of more than 1,000 IT decision makers, 75 percent of organizations have suffered account takeover in the last year.
“Unfortunately, it seems to occur too commonly in government institutions that we must absolutely trust to place our social interests above all else,” Wade said. “Clearly the current model isn’t working, and in part it’s because cybersecurity exists in patchwork pockets of excellence or absence throughout our government sectors. There’s a need for strategic leadership to modernize capabilities away from preventative controls that require everything to go right into resilience controls that detect, respond, and recover from these sorts of attacks before material damage is done. It’s a bipartisan issue that should unite us all.”