Phishing' attack may trigger risk review
Following the revelation that more than 750,000 individuals were potentially affected by a 2016 "phishing" attack on Los Angeles County government computer systems blamed on a Nigerian man and his accomplices, supervisors are considering a comprehensive cyber-security risk assessment for all county departments.
Supervisor Janice Hahn wants an assessment on whether there is a need to develop a standardized process for periodic evaluation, auditing and updating of county department's cyber-security policies and practices.
"While the county has done its due-diligence to provide information and resources to the public following this tragic event, it is also prudent to take this opportunity to explore additional preventative approaches to mitigate cyber-security attacks," Hahn wrote to fellow supervisors.
The Board of Supervisors is scheduled to consider Hahn's proposal at its meeting Tuesday in downtown Los Angeles.
Hahn proposes ordering the county chief executive officer and the auditor-controller to look into the feasibility of a cyber-security assessment, and to report back within 60 days on the recommended methodology, estimated costs and projected timeline.
Los Angeles County officials said last month there was no evidence that confidential information from any member of the public was released through last May's "phishing" attack, which targeted Los Angeles County employees and for which an arrest warrant was issued last week for a Nigerian man.
However, county officials said that 756,000 individuals were potentially impacted, and they have begun a notification process that was delayed at the request of the District Attorney's office while the investigation was under way.
County officials said they are offering free identity monitoring including credit monitoring for potentially affected individuals.
The county set up a call station for anyone seeking additional information about the phishing attack. The call center can be reached 8 a.m. to 5 p.m. Monday through Friday at (855) 330-6368.
A website has also been established, https://www.211la.org/important-notice/.
The suspect in the "phishing" attack was identified as Austin Kelvin Onaghinor, who apparently lives in Nigeria, though a prosecutor said more people were involved. "Phishing" scams send deceptive emails to trick recipients into providing personal identifying information such as usernames and passwords as a way to access a victim's account.
The quality of the phishing emails was "very good," said Deputy District Attorney Donn Hoffman, who called the emails "persuasive."
"We're exploring all possibilities to bring him back to Los Angeles," Hoffman said of Onaghinor. "There certainly are other people involved. This kind of crime really isn't a single-person operation so much."
Hoffman said the investigation is continuing and that he is hopeful others will be prosecuted.
The "phishing" emails were sent to 1,000 county email addresses, and 108 county employees on May 13 provided their user names and passwords. Some of the workers had confidential client or patient information in their email accounts as a result of their county duties, officials said.
County officials learned about the breach the following day and "immediately implemented strict security measures" and implemented new controls to minimize the risk of future phishing attacks, county officials said in a statement issued Dec. 16.
"An exhaustive forensic examination by the county has concluded that approximately 756,000 individuals were potentially impacted through their contact with the following departments: Assessor, Chief Executive Office, Children and Family Services, Child Support Services, Health Services, Human Resources, Internal Services, Mental Health, Probation, Public Health, Public Library, Public Social Services and Public Works," according to the statement.
Onaghinor is charged with one felony count of accessing and using computer data to commit fraud or to control or obtain money, property or data, along with eight felony counts of unlawful transfer of identifying information for identity theft, according to the felony complaint for arrest warrant.
The complaint includes an excessive-taking allegation of more than $500,000.