Cyber Incident Victim: California State Controller's Office
Date:
Mar 2021
Location:
United States of America
Summary
The California State Controller's Office experienced a data breach after an employee fell victim to a phishing email, inadvertently providing an unauthorized user with credentials to access their email account. The attacker maintained access for over a day, during which they sent potentially malicious emails to contacts within the employee's mailbox and potentially exposed personnel files and contact information. While initial reports suggested broader compromise of Microsoft Office 365 files, subsequent investigation indicated access was limited to the affected email account.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 18, 2021, at 1:42 PM local time, an employee within the California State Controller’s Office (SCO) Unclaimed Property Division fell victim to a phishing attack by clicking a link in a deceptive email and subsequently entering their user ID and password. This action granted an unauthorized individual access to the employee’s email account. The attacker maintained access for approximately 25 hours and 37 minutes, until 3:19 PM on March 19, during which they exploited the compromised account to send potentially malicious emails to contacts within the employee’s address book. The breach exposed personnel files and email contact lists associated with the account, though the SCO did not specify the volume or identities of affected individuals. Initial reports from KrebsOnSecurity, citing an anonymous source in a related state agency, suggested the attacker accessed the employee’s Microsoft Office 365 files, but SCO officials later refuted this, stating their investigation found no evidence of access beyond the email mailbox itself. The incident was detected and contained by SCO’s internal security teams, who revoked the attacker’s access upon discovery.
The SCO issued a public breach notification confirming the unauthorized access period and the exfiltration of sensitive personnel and contact data but did not disclose whether external stakeholders or citizens were impacted. No ransomware deployment or financial system compromises were reported. The agency emphasized that its investigation, conducted in collaboration with unspecified cybersecurity partners, found no lateral movement into other Office 365 resources or critical state systems. Response actions included credential resets for the affected account and enhanced phishing awareness training for staff. The SCO did not reveal whether law enforcement was engaged or if forensic audits identified the threat actor’s origin. Consequences were limited to data exposure and operational disruption within the Unclaimed Property Division, with no reported follow-on attacks stemming from the compromised communications.