Phishing Scheme Allows Access to Los Angeles County Confidential Records

Last month, charges were filed against a hacker who used a phishing scheme in May 2016 to potentially access over 750,000 confidential health and personal records in Los Angeles County.  As this incident shows, phishing emails are still incredibly successful and have a high rate of employees falling for this type of cyberattack.

The May 13 attack targeted 1,000 county employees from several departments with a phishing email.  The message tricked 108 employees into providing usernames and passwords to their accounts, some of which contained confidential patient or client information, officials said.  (source, emphasis mine)

Over 10% (ten percent!) of employees provided their usernames and passwords(!) to their accounts.  That is an astonishing rate, and should be a warning to security professionals everywhere.  Users are generally the weakest link in the security world, and unfortunately, Los Angeles County became another victim.

Among the data potentially accessed were names, addresses, dates of birth, Social Security numbers, financial information and medical records — including diagnoses and treatment history — of clients, patients or others who received services from county departments.

In response to the attack, officials said they have strengthened security measures on county email accounts and enhanced employee training to guard against a growing number of cyber intrusions.

Sadly, the “enhanced employee training” may not be enough.  Even if only one percent of employees provided their credentials, that is usually more than enough for a cybercriminal to do damage, damage to the individuals whose records were accessed and damage to the reputation of the organization, among other things.

With two-factor authentication deployed organization-wide, however, phishing schemes are virtually no longer a threat.  Even if an employee provides usernames and passwords, cybercriminals will not have access to the user’s second factor, such as a YubiKey or Google Authenticator (both of which are supported by GreenRADIUS, our two-factor authentication solution).  And generally, once cybercriminals become aware that two-factor authentication is in place, they will move on to an easier target that does not have 2FA.

With a robust solution like GreenRADIUS, businesses and organizations can implement an affordable, easy-to-deploy, and easy-to-manage two-factor authentication security layer.  Contact us to learn more.

Liked this post? Follow this blog to get more.