On a single day in May, 108 Los Angeles County employees fell for a phishing attack that affected approximately 756,000 individuals. Here is the press release issued Dec. 16 from the County of Los Angeles Chief Executive Office:
The County of Los Angeles today disclosed that it was the victim of a phishing email attack that potentially affected hundreds of thousands of individuals and has resulted in felony charges against a Nigerian national.
Based on intensive investigation and monitoring, there is no evidence that confidential information from any members of the public has been released because of the breach.
The phishing incident occurred May 13, 2016, when 108 County employees were tricked into providing their usernames and passwords through an email designed to look legitimate. Some of those employees had confidential client/patient information in their email accounts because of their County responsibilities. County officials learned of the breach the next day and immediately implemented strict security measures.
An exhaustive forensic examination by the County has concluded that approximately 756,000 individuals were potentially impacted through their contact with the following departments: Assessor, Chief Executive Office, Children and Family Services, Child Support Services, Health Services, Human Resources, Internal Services, Mental Health, Probation, Public Health, Public Library, Public Social Services and Public Works.
The District Attorney’s Office’s Cyber Investigation Response Team was notified and launched a far-reaching probe that led on Thursday to the issuance of an arrest warrant for Austin Kelvin Onaghinor of Nigeria. He was charged with nine counts, including unauthorized computer access and identity theft.
“My office will work aggressively to bring this criminal hacker and others to Los Angeles County, where they will be prosecuted to the fullest extent of the law,” District Attorney Jackie Lacey vowed in a statement.
At the direction of the District Attorney’s Office, notification of the potentially affected individuals was delayed to protect the confidentiality of the sensitive, ongoing investigation and prevent broader public harm. Law enforcement agencies are authorized to request such exemptions to notification requirements.
On Thursday, with the filing of charges, the County promptly began the notification process.
The County of Los Angeles is committed to assisting any individuals whose personal information may have been compromised in this phishing incident.
That information may have included first and last names, dates of birth, Social Security numbers, driver’s license or state identification numbers, payment card information, bank account information, home addresses, phone numbers, and/or medical information, such as Medi-Cal or insurance carrier identification numbers, diagnosis, treatment history, or medical record numbers.
The County is offering free identity monitoring for potentially affected individuals. This includes credit monitoring, identity consultation and identity restoration.
A call center also has been established for anyone seeking additional information regarding the incident. The call center can be reached at 1-855-330-6368, Monday – Friday, 8:00 a.m. 5:00 p.m. PST.
Further, a website has been established to provide affected individuals with information in numerous languages. The website can be accessed at https://www.211la.org/important-notice/
Los Angeles County has gained national recognition for its aggressive pursuit of cyber criminals. As a result of this incident, the County has implemented new controls to minimize risk of future phishing attacks and has enhanced training to identify and respond to phishing attacks as part of the County’s ongoing cyber-security awareness campaign.
For more information on the District Attorney’s investigation and its Cyber Investigation Response Team, contact the agency’s Media Relations Division at (213) 257-2000.