Phish Leads to Breach at California State Controller


The data breach was caused by a phishing attack in which an employee of the State Controller’s Office Unclaimed Property Division clicked on a link in an email they and then entered a user ID and password as prompted. Having done so, the employee provided the login details to “an unauthorized user” who then had access to the employee’s account March 18 and 19.

The California State Controller’s Office experienced a data breach on March 20. This was made public via a news alert shared by the office. According to the alert, the breach was caused by an employee responding to a phishing email. The employee in question was a part of the California State Controller’s Office (SCO) Unclaimed Property Division and clicked a malicious link within the phishing email, subsequently entering their ID and password. As one might guess, threat actors were able to gain privileged access to the State Controller’s network and subsequent databases as a result.

The hacker had access to the system from March 18 to March 19. According to the news update, the attacker gained access to “personal identifying information contained in Unclaimed Property Holder Reports” and also “sent potentially malicious emails to some of the SCO employee’s contacts.”

“A single employee email account was briefly compromised by a spear phishing attack and promptly disabled,” SCO spokesperson Jennifer Hanson said. “SCO has notified the employee’s contacts who may have received a potentially malicious email from the unauthorized user. SCO team members have identified all personal information included in the compromised email account and begun the process of notifying affected parties. The Controller is going over and beyond the notification requirements in law by providing both actual mailed notification and substitute notification in an effort to ensure the broadest possible notification.”

A source in an adjacent California state agency who’s been tracking the incident internally with other employees says the SCO forgot to mention the intruders also had access to the phished employee’s Microsoft Office 365 files — and potentially any files shared with that account across the state network.

“This isn’t even the full extent of the breach,” said the California state employee, who spoke on condition of anonymity.

The source claims the intruders stole several documents with personal and financial data on thousands of state employees, and then used the phished employee’s inbox to send targeted phishing emails to at least 9,000 California state workers and their contacts. 

 In October 2020, the California Department of Technology (CDT) issued a new set of guidelines that effectively require all executives, managers and supervisors to know all of the details of a phishing exercise before it occurs. Which suggests plenty of people who definitely should get phish tested along with everyone else won’t get the same ongoing training.

“Meaning, such people will not be tested ever again,” the state agency source said. “It’s utterly absurd and no one at CDT is taking ownership of this kludge. The standard was also written in such a way to effectively ban dynamic testing like you see in KnowBe4, where even an administrator won’t know what phishing template they might receive.” Full disclosure: KnowBe4 is an advertiser on this site.

Purandar Das, co-founder and chief executive officer at data security firm Sotero Inc., noted that even a seemingly innocuous malicious attack can enable attackers to gain insights and valuable information that can be used to cause long-lasting damage to consumers and organizations.

“The security focus for organizations has to evolve to be data-centric regardless of where it is stored,” Das added. “As important as perimeter security is, securing data regardless of location has to become the objective. Organizations have to start planning and deploying data-centric security solutions assuming that the perimeter can and will be breached.”