A California State Controller’s Office employee fell for a phishing link, leading to a data breach that resulted in the theft of around 9,000 records. The employee, who worked in the Unclaimed Property division clicked on a phishing link received in an email and then proceeded to enter a user ID and password. This gave an attacker access to the employee login details, and consequently the employee’s account, on the 18th and 19th of March. The unauthorised user was able to view and steal personal information contained in unclaimed property holder reports, and send potentially malicious emails to other employees.
Fortunately the breach was discovered and remediated promptly and anyone affected has been notified. However, an unnamed source disclosed that the breach included access to the employee Microsoft Corp. Office 365 files claiming that: “This isn’t even the full extent of the breach.”