Reams of PII Stolen from Tens of Thousands of Citizens in LA County

Reams of PII Stolen from Tens of Thousands of Citizens in LA County

Los Angeles County is notifying about 756,000 people that their personal information may have been compromised, following a widespread phishing attack on government employees.

The information that the data thieves picked up is extensive: first and last names, dates of birth, Social Security numbers, driver's license or state identification numbers, payment card information, bank account information, home addresses, phone numbers, and/or medical information, such as Medi-Cal or insurance carrier identification numbers, diagnosis, treatment history or medical record numbers.

According to a statement from the County of Los Angeles Chief Executive Office, 1,000 county employees received phishing emails on May 13, 2016. Out of those, 108 employees fell for the lures, giving cybercriminals network access to a variety of public agencies, including the Assessor, Chief Executive Office, Children and Family Services, Child Support Services, Health Services, Human Resources, Internal Services, Mental Health, Probation, Public Health, Public Library, Public Social Services and Public Works.

It was seven months from compromise to disclosure.

"At the direction of the District Attorney's Office," a statement reads, "notification of the potentially affected individuals was delayed to protect the confidentiality of the sensitive, ongoing investigation and prevent broader public harm. Law enforcement agencies are authorized to request such exemptions to notification requirements."

Interestingly, the LA County DA's office has filed charges against Austin Kelvin Onaghinor, a 37-year old Nigerian national who is not yet in custody. He faces nine counts, including unauthorized computer access and identity theft. If convicted as charged, the defendant faces a maximum possible sentence of 13 years in state prison.

"My office will work aggressively to bring this criminal hacker and others to Los Angeles County where they will be prosecuted to the fullest extent of the law," said District Attorney Jackie Lacey. "In this instance, the team responded to the security breach, identified the source of the cyber-intrusion and thwarted Onaghinor's attack.”

Source: Information Security Magazine