The California State Controller’s Office (SCO) has suffered a data breach after falling victim to a phishing attack.

Threat actors were able to access email and files after a member of the staff clicked on a malicious link and unwittingly shared their credentials. 

In a data breach notice published March 20, the SCO said: “An employee of the California State Controller’s Office (SCO) Unclaimed Property Division clicked on a link in an email they received and then entered their user ID and password as prompted, unknowingly providing an unauthorized user with access to their email account.”

The SCO said that it had “reason to believe” that personal identifying information contained in unclaimed property holder reports was accessible to whoever compromised the employee’s email account.

An investigation into the incident revealed that the unauthorized user had access to the employee’s email account from 1:42pm on March 18 to 3:19pm on March 19. During this brief window of opportunity, the unauthorized user sent potentially malicious emails to some of the SCO employee’s contacts.

“A notice was emailed to all contacts who were sent an email from the unauthorized user, advising them to delete the email and not click on any links therein,” said the SCO.  

James McQuiggan, security awareness advocate at KnowBe4, commented: “This event supports the issue that all organizations need to educate and phish their employees regularly to ensure they are aware of and know how to spot and report socially engineered emails.”

He advised organizations to take steps to alert users when they receive an external email. 

“A banner or bolded text at the top of the email informing the employee that they are reading an external email, alerts them to pay extra attention, as it could be malicious with attachments or phishing links,” said McQuiggan.

He also advised employees to hover over links to verify if they are legitimate. 

“Sometimes it can be challenging to determine if it is a real link or not. Having an alert tool within the organization where the employees can report potential phishing emails can reduce the risk of attacks and ensure that the employee is taking the proper actions to protect the organization,” said McQuiggan.

Leave a Reply