The target: California State Controller’s Office
The take: Financial and personally identifiable information and documents, such as Social Insurance Numbers, on several thousand employees.
The attack vector: An employee, the target of a spear phishing attack, clicked on a suspicious link and entered their account ID/email address and password. This gave the attacker full access to SCO’s systems with the same level of access the employee had, including any files shared with the affected account. From here, the attacker further launched phishing attempts against over 9000 employees, using the hacked account to increase the believability of the scam.
Phishing attacks against individual employees remain one of the greatest security threats to the entire organization. Regular social engineering and awareness testing and training, along with tone-from-the-top messaging to emphasize the importance of critical thinking and caution are crucial to protecting sensitive information assets.