L.A. County: Major Breach Stemmed from Phishing AttackArrest Warrant Issued for Nigerian Suspect in Breach of Financial, Health Data
The County of Los Angeles is notifying 756,000 individuals of a breach that occurred five months ago stemming from a phishing scheme that tricked more than 100 county employees. Bank account and payment card information, Social Security numbers and health-related information was potentially exposed.
In a statement, the county says it became aware of the incident one day after it occurred on May 13. Notification was delayed due to a "far reaching investigation" by the county district attorney's cyber investigation response team that resulted in a criminal arrest warrant being issued on Dec. 15 for Austin Kelvin Onaghinor of Nigeria. He was charged with nine counts, including unauthorized computer access and identity theft.
"My office will work aggressively to bring this criminal hacker and others to Los Angeles County, where they will be prosecuted to the fullest extent of the law," District Attorney Jackie Lacey said in the statement.
Donn Hoffman, deputy district attorney for Los Angeles County, tells Information Security Media Group that Onaghinor is a fugitive. Hoffman declined to comment on other details in the case, including whether other individuals are being investigated. "Charges have been filed [against Onaghinor] for theft and misuse of L.A. County confidential information, not information of members of the public," he says
Los Angeles County says there is no evidence that confidential information from any members of the public has been misused as a result of the breach.
In its statement, the county notes: "An exhaustive forensic examination by the county has concluded that approximately 756,000 individuals were potentially impacted through their contact with the following departments: Assessor, Chief Executive Office, Children and Family Services, Child Support Services, Health Services, Human Resources, Internal Services, Mental Health, Probation, Public Health, Public Library, Public Social Services and Public Works."
The county says the hacker potentially gained access to names, dates of birth, Social Security numbers, driver's license or state identification numbers, payment card information, bank account information, home addresses, phone numbers, and/or medical information, such as Medi-Cal or insurance carrier identification numbers, diagnosis, treatment history or medical record numbers.
The county is offering one year of free credit monitoring, identity consultation and identity restoration for affected individuals.
The phishing incident occurred May 13 when 108 county employees were "tricked into providing their usernames and passwords through an email designed to look legitimate," the county's statement says.
"Some of those employees had confidential client/patient information in their email accounts because of their county responsibilities. Upon learning of the breach the next day, the county "immediately implemented strict security measures."
A Growing Problem
Phishing and other cyberattacks, including incidents involving ransomware, have been on the rise in healthcare and other sectors over the last two years.
Some experts expect those attacks to become even more pervasive and difficult to battle in the year ahead.
"Ransomware and phishing attacks will become more sophisticated and more realistic [compared with] what we've seen before" in terms of attempts to fool users, predicts Curt Kwak, CIO at Proliance Surgeons, a large surgical practice in the state of Washington.
But organizations can take steps to help prevent falling victim to data breaches resulting from phishing schemes.
For example, Mac McMillan, CEO of the security consulting firm CynergisTek, says deploying "the right complement of controls and education" are critical to preventing breaches resulting from phishing attacks." Organizations should deploy "advanced threat detection technologies like advanced malware detectors, email and web gateways, etc.," he says.
Government agencies also can issue workers "a second factor for authentication so that simply losing one's email login doesn't work," McMillan adds.
Keith Fricke, partner and principal consultant at tw-Security, says a key to educating users about phishing includes conducting "periodic internal phishing campaigns to track click metrics and provide awareness training to those falling victim to the tests."
Technology is also available "that can block access to some malicious websites users attempt to connect to from within a phishing email," he says. "Also, if your organization does not do business with businesses in foreign countries, block all incoming Internet traffic from those locations, including email. If you do conduct business with a manageable number of foreign organizations, white list them and block everyone else."
Breach Prevention Measures
Whether a breach can be prevented after a user falls for a phishing email depends on a number of factors, McMillan notes. Those include: what other complementary controls are in place, how early the intrusion is detected and how quickly the attacker executes their attack.
"If the attacker does not follow up right away, and we detect the breach quickly, we can change privileges to render the stolen [credentials] ineffective, for example," he says.
Fricke notes that implementing endpoint protection on workstations and laptops, as well as advanced malware protection in next-generation firewalls, "can block malicious activities attempting to materialize if someone interacts with a phishing email."
Identifying a cybercriminal involved in a phishing attack can prove challenging, Fricke notes.
"Techniques exist to mask where attacks originate from," he says. "The additional problem is if law enforcement can track down the criminal, they may be living in a country with whom the U.S. has no extradition treaty."
Hoffman, the deputy district attorney, says Los Angeles County "has a policy to investigate cybercrimes and pursue criminal prosecutions in these cases."
The phishing incident isn't the only large breach reported by Los Angeles County in recent years involving PHI.
In March 2014, the county reported an incident involving the theft of eight unencrypted desktop computers from a Torrance, Calif., office of Sutherland Healthcare Services, a vendor that provided patient billing and collection services to the Los Angeles County departments of health services and public health. That incident affected about 340,000 individuals.