Share this article on:
It has taken some time for the County of Los Angeles to announce it was the victim of a major phishing attack, especially considering the attack was discovered within 24 hours of the May, 2016 breach. However, notification had to be delayed so as not to interfere with an “extensive” criminal investigation.
The investigation into the phishing attack was conducted by county district attorney Jackie Lacey’s cyber investigation response team. In many cases, cybercriminals are able to effectively mask their identities and it is relatively rare for the individuals responsible for phishing attacks to be identified. Bringing individuals to justice is harder still. All too often the perpetrators are based overseas.
In this case, the investigation has resulted in the identification of a suspect: Austin Kelvin Onaghinor, 37, of Nigeria. On December 15, 2016, a criminal arrest warrant for Onaghinor was issued. Onaghinor faces nine charges related to the phishing attack, including theft and misuse of L.A. County confidential information, unauthorized computer access, and identity theft.
At the time of writing, Onaghinor has yet to be arrested and his whereabouts is unknown. He is considered to be a fugitive of the law and Lacey said “My office will work aggressively to bring this criminal hacker and others to Los Angeles County where they will be prosecuted to the fullest extent of the law.”
The phishing attack occurred on May 13, 2016. A large number of expertly crafted phishing emails were sent to Los Angeles County employees. The emails appeared to be legitimate; however, responding to the emails resulted in employees disclosing their usernames and passwords to the attacker. In total, 108 L.A. County employees responded, and by doing so, compromised their email accounts.
The email accounts contained a wide range of sensitive data including financial and health information. Investigators were required to individually check each email in the 108 compromised accounts to determine which individuals had been impacted and what information had been exposed.
The extensive investigation determined that 756,000 individuals had been impacted by the breach. Those individuals had previously had contact via email with the following Los Angeles County departments: Assessor, Chief Executive Office, Children and Family Services, Child Support Services, Health Services, Human Resources, Internal Services, Mental Health, Probation, Public Health, Public Library, Public Social Services and Public Works.”
According to the breach notice recently uploaded to the Department of Health and Human Services’ Office for Civil Rights breach portal, 749,017 patients of the County of Los Angeles Departments of Health and Mental Health were impacted.
The information contained in the email accounts included full names, home addresses, phone numbers, birth dates, Social Security numbers, state ID numbers, driver’s license numbers, Medi-Cal and insurance carrier IDs, medical record numbers, payment card numbers, bank account information, and medical information, including diagnoses and treatment information.
While the information was potentially accessed 7 months previously, Los Angeles County has uncovered no evidence to suggest that any information has been misused. As a precaution against identity theft and fraud, all individuals impacted by the breach have been offered a year of credit monitoring, identity consultation, and identity restoration services without charge.
Phishing emails are regularly sent to government employees and many make it past spam filters to employees’ inboxes. However, for the emails to result in the disclosure of 108 email account credentials is concerning.
Preventing employees from responding to phishing emails is a challenge, but a successful attack of this scale suggests a spectacular failure of systems and training, although the attack was detected the following day and L.A. County “immediately implemented strict security measures” to reduce the impact of the breach.
Phishing emails are a difficult threat to mitigate, although there are proven technologies and tactics that can be employed to reduce risk and at least limit the harm caused. Anti-phishing training has been demonstrated to greatly improve employees’ phishing email identification skills, in particular when anti-phishing exercises are conducted.
A study of 40 million phishing simulation emails by PhishMe (between January 2015 and July 2016) showed that susceptibility to phishing attacks falls to around 20% after just one failed phishing email simulation, while the implementation of a reporting tool can dramatically reduce the time to detect phishing threats. The sooner the threat is detected, the easier it is to alert employees and mitigate risk.
Solutions such as advanced spam filters can reduce the volume of phishing emails that are delivered to end users, while web filtering gateways can block users’ attempts to respond to phishing emails. Preventing end users from visiting websites based in foreign countries can reduce risk, although foreign-based phishers often host their phishing sites in the United States.
Along with next generation firewalls and intrusion detection systems it is possible to mount a reasonable defense against phishing attacks and reduce the damaged caused when those attacks succeed.
The attack should serve as a reminder of how serious the threat of phishing is, and how important it is for organizations – government and private sector – to enhance the controls they have in place to mitigate the threat.