Nigerian Man Charged in Hacking of Los Angeles County Emails (theguardian.com)

← Back to Stories (view on slashdot.org)

Nigerian Man Charged in Hacking of Los Angeles County Emails (theguardian.com)

Posted by msmash on Monday December 19, 2016 @06:45AM from the mere-hacking dept.

A 'mere' 10.8% phishing success rate has forced Los Angeles County to notify approximately 756,000 individuals that their personal information may have been compromised. The attack occurred on May 13, 2016 when 1,000 County employees received phishing emails. 108 employees were successfully phished. A Nigerian national has been charged in connection with the hack. From a report on The Guardian: Many large organizations would welcome a 10% success rate in their internal anti-phishing training sessions, with 30% and above being common. The 2016 Verizon DBIR suggests that 30% of all phishing emails are opened. The high number of individuals affected from a relatively low number of successes in LA County demonstrates how dangerous phishing attacks can be. The nature of the potentially compromised information is also concerning. "That information may have included first and last names, dates of birth, Social Security numbers, driver's license or state identification numbers, payment card information, bank account information, home addresses, phone numbers, and/or medical information, such as Medi-Cal or insurance carrier identification numbers, diagnosis, treatment history, or medical record numbers," said the County of Los Angeles Chief Executive Office in a statement.

9 of 44 comments (clear)

Min score:

Reason:

Sort:

Must be Russian by Oswald+McWeany · 2016-12-19 06:48 · Score: 2, Funny

A Nigerian man caught hacking?
He must be Russian.

--
"That's the way to do it" - Punch
Prince? by Anonymous Coward · 2016-12-19 06:56 · Score: 2, Funny

I bet it was a Nigerian prince they caught.
1. Re:Prince? by jfdavis668 · 2016-12-19 07:01 · Score: 4, Funny
  
  Did he get the $4000 I sent him? He owes me money!
2. Re:Prince? by Tablizer · 2016-12-19 07:50 · Score: 2
  
  He owes me money
  You can get it back by sending your bank account info to InstantRefund@sucker.foo
  
  --
  Table-ized A.I.
So what about the county's responsibility. by Brigadier · 2016-12-19 06:58 · Score: 2

So big hurrah for LA Counties judicial system. I am frustrated however that no entity be it private corporate, or municipality has simply said protection of our information shall come first. This thought that let's just contract with (insert name provider, likely Microsoft) for an off the shelf solution which clearly isn't secure is absurd. Now I am also not saying some municipality pay a contractor to custom design a system, we know which way that will go (see link).
DWP billing system errors add $245 million to uncollected debt
http://www.latimes.com/local/c...
Am I the only one who thinks all 'secure' networks should be on a isolated protocol e.g. email be only text with no public network dependent information. user systems with no access to the internet, and no user level login on public devices including your phone.
The price being paid for the convenience of looking up bread pudding recipes from your work station (or ranting on /. for that matter) is simply too high. Just a thought.
Anti-Phishing Training by Anonymous Coward · 2016-12-19 07:12 · Score: 5, Interesting

My company HR sent notice of required anti-phishing email training.
- The email came from someone I never heard of.
- It contained a link to an external website.
- And the external website required we log in with our domain credentials.
I ignored the notices for weeks until my boss came to my desk and made me do it. Just unbelievable.
1. Re:Anti-Phishing Training by networkBoy · 2016-12-19 08:22 · Score: 2
  
  I had similar (and I think 12 monkeys *might* be right...)
  I added the domain to our blacklist within a minute of getting the e-mail. Chaos and hilarity ensued.
  I regret nothing.
  -nB
  
  --
  whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
2. Re:Anti-Phishing Training by sysrammer · 2016-12-19 08:39 · Score: 2
  
  My company HR sent notice of required anti-phishing email training.
  - The email came from someone I never heard of.
  - It contained a link to an external website.
  - And the external website required we log in with our domain credentials.
  I ignored the notices for weeks until my boss came to my desk and made me do it. Just unbelievable.
  Been there, done that. As you say, just unbelievable.
  
  --
  His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
Set up a rule for external email? by bev_tech_rob · 2016-12-19 08:25 · Score: 2

Our company set up our mail system to insert this line into ANY incoming external email. Has helped us a LOT with reducing the impact of phishing emails...along with filtering known phishing domains......
>>Attention: This email was sent from someone outside of [your company name here]. Always use caution when opening attachments or clicking links from unknown senders or when receiving unexpected emails.

--
You're messin' with my Zen Thing, man.....