The troubles in the State of California seem to be multiplying, and this time it does not involve embattled Governor Gavin Newsom. Betty Yee is the State Controller of California; essentially the chief financial officer of the State. Her office is tasked with investigative authority for every dollar spent by the State, and she is an ex-officio member of the state’s Board of Equalization.

Sometime last week, Yee’s office suffered a data breach, thanks to an employee who clicked on a link and entered their email ID and password:

A phishing attack last week gave attackers access to email and files at the California State Controller’s Office (SCO), an agency responsible for handling more than $100 billion in public funds each year. The phishers had access for more than 24 hours, and sources tell KrebsOnSecurity the intruders used that time to steal Social Security numbers and sensitive files on thousands of state workers, and to send targeted phishing messages to at least 9,000 other workers and their contacts.

In a “Notice of Data Breach” message posted on Saturday, Mar. 20, the Controller’s Office said that for more than 24 hours starting on the afternoon of March 18 attackers had access to the email records of an employee in its Unclaimed Property Division after the employee clicked a phishing link and then entered their email ID and password.

The text of the Notice on the State Controller’s website:

March 20, 2021

NOTICE OF DATA BREACH

WHAT HAPPENED?
An employee of the California State Controller’s Office (SCO) Unclaimed Property Division clicked on a link in an email they received and then entered their user ID and password as prompted, unknowingly providing an unauthorized user with access to their email account. The unauthorized user had access to the account from March 18, 2021 at 1:42 p.m. to March 19, 2021 at 3:19 p.m..

WHAT INFORMATION WAS INVOLVED?
SCO has reason to believe the compromised email account had personal identifying information contained in Unclaimed Property Holder Reports. The unauthorized user also sent potentially malicious emails to some of the SCO employee’s contacts.

WHAT WE ARE DOING
The improperly accessed email account was discovered promptly, and access removed. SCO Unclaimed Property Division personnel immediately began a review of all emails in the account for personal identifying information that may have been viewed. A notice was emailed to all contacts who were sent an email from the unauthorized user, advising them to delete the email and not click on any links therein.

But according to Krebs Security, the breach compromised more than email addresses. Certain key documents were also accessed:

The SCO responded in an email that no state employee data was compromised.

“A single employee email account was briefly compromised by a spear phishing attack and promptly disabled,” SCO spokesperson Jennifer Hanson said. “SCO has notified the employee’s contacts who may have received a potentially malicious email from the unauthorized user. SCO team members have identified all personal information included in the compromised email account and begun the process of notifying affected parties. The Controller is going over and beyond the notification requirements in law by providing both actual mailed notification and substitute notification in an effort to ensure the broadest possible notification.”

A source in an adjacent California state agency who’s been tracking the incident internally with other employees says the SCO forgot to mention the intruders also had access to the phished employee’s Microsoft Office 365 files — and potentially any files shared with that account across the state network.

“This isn’t even the full extent of the breach,” said the California state employee, who spoke on condition of anonymity.

The source claims the intruders stole several documents with personal and financial data on thousands of state employees, and then used the phished employee’s inbox to send targeted phishing emails to at least 9,000 California state workers and their contacts. In a follow-up response to those claims, the SCO said its “IT security staff were able to determine — based on the same logs that identified the intrusion — that no access was made to any Office 365 files other than the employee’s mailbox.”

The California Department of Technology (CDT) is supposed to be the oversight and management arm for all the information infrastructure and information security of the State systems. This includes the California Employment Development Department, which is still unearthing a huge amount of fraud (over 31 billion) because of its lax security protocols and poor management.

The CDT is a heavily funded entity of the government. Here are the proposed changes and increases in the 2021-22 California State budget for this department:

The Governor’s 2021‑22 Budget proposes to pay the costs of some existing CDT programs and services from the General Fund instead, and to use General Fund for other budget proposals from the department. As a result, General Fund expenditures for CDT would increase $32.7 million year over year—from $6.8 million in 2020‑21 to $39.5 million in 2021‑22. (Total expenditures from all funds would increase from $434 million to $493 million.)

Why is more money being poured into a department that has essentially been caught with its pants down over fraudulent use of State funds, cybercrime, and data breaches? There is supposedly an audit occurring at the California EDD. Will there now be an audit of the Controller’s systems? Will this information be released to the very public who may have had information that was compromised because of CDT’s and the State Controller’s Office incompetence?

The Krebs Security report continues, pointing to a change in policy on how CDT handles Phishing training:

Organizations hoping to improve internal security often turn to companies that help employees learn how to detect and dodge email phishing attacks — by sending them simulated phishing emails and then grading employees on their responses. The employee said that until very recently California was using one such company to help them conduct regular employee training on phishing.

Then in October 2020, the California Department of Technology (CDT) issued a new set of guidelines that effectively require all executives, managers and supervisors to know all of the details of a phishing exercise before it occurs. Which suggests plenty of people who definitely should get phish tested along with everyone else won’t get the same ongoing training.

“Meaning, such people will not be tested ever again,” the state agency source said. “It’s utterly absurd and no one at CDT is taking ownership of this kludge. The standard was also written in such a way to effectively ban dynamic testing like you see in KnowBe4, where even an administrator won’t know what phishing template they might receive.” [Full disclosure: KnowBe4 is an advertiser on this site].

The CDT issued the following statement in response: “SCO informed CDT they have contained the phishing attack. The characterization of the CDT phishing exercise standard is incorrect. Before phishing tests in any state agency are performed, internal business units are advised to coordinate to avoid disruption or operational impact to public services. Supervisors and managers are routinely tested without advance notice to ensure employees at every level are aware of security hazards and can learn how to avoid them.”

Isn’t that interesting, because security protocols were also changed by California Labor Secretary Julie Su before all the EDD fraud occurred. Instead of Su being held accountable, she is on track to being confirmed as the Deputy Secretary for the United States Department of Labor. Just as with the California EDD, there is plenty of denial and CYA  going on. Not unlike what is happening in the executive branch of California.

Fish rot from the head, and stink to high heaven. Very much like the California government.