More than 756,000 Californians are currently being notified that their private information may have been compromised after a single phishing email scammed 108 Los Angeles County employees last May.
L.A. County on Friday officially charged Kelvin Onaghinor of Nigeria with nine counts related to the breach, according to the Los Angeles County Chief Executive Office. Onaghinor has not yet been arrested and is not believed to be in the U.S. If convicted, he faces up to 13 years in state prison.
The potential victims of the phishing email could include anyone who had contact with the County’s Assessor, Chief Executive Office, Children and Family Services, Child Support Services, Health Services, Human Resources, Internal Services, Mental Health, Probation, Public Health, Public Library, Public Social Services and Public Works.
Phishing attacks have seen a dramatic uptick this year, and more organizations than ever before have been duped into providing sensitive or proprietary information. There were more phishing attacks in the first quarter of 2016 than any other time in history, according to the Anti-Phishing Working Group. The L.A. case demonstrates the potential reach a phishing attack can have, and how just one attack can affect many, many people.
The attack also highlights the importance of employee training and awareness, something that could have been avoided with more awareness. Many county employees were duped into providing proprietary information. The L.A. county employees received emails that tricked them into providing their usernames and passwords. Through those 108 employees, about 756,000 individuals could have also been affected through their contact with several of the departments.
The county officials that fell victim to the attack had "confidential client/patient information" — from Social Security numbers to credit card data and private medical information — in their email accounts through their county responsibilities, according to county officials.