LOS ANGELES – County officials Friday announced criminal charges against a Nigerian national who allegedly waged a phishing e-mail attack that targeted Los Angeles County employees and potentially affected more than 750,000 people.
“Based on intensive investigation and monitoring, there is no evidence that confidential information from any members of the public has been released because of the breach,” according to a statement released by Los Angeles County’s Chief Executive Office.
Los Angeles County officials said that 108 county employees were tricked May 13 into providing their user names and passwords through an e-mail designed to look legitimate, and that some of the workers had confidential client or patient information in their e-mail accounts as a result of their county duties.
County officials learned about the breach the following day and “immediately implemented strict security measures” and implemented new controls to minimize the risk of future phishing attacks, authorities said.
“An exhaustive forensic examination by the county has concluded that approximately 756,000 individuals were potentially impacted through their contact with the following departments: Assessor, Chief Executive Office, Children and Family Services, Child Support Services, Health Services, Human Resources, Internal Services, Mental Health, Probation, Public Health, Public Library, Public Social Services and Public Works,” according to the statement.
The county “promptly began the notification process” Thursday after an arrest warrant was issued for Austin Kelvin Onaghinor of Nigeria, and had delayed notifying potentially affected individuals at the direction of the Los Angeles County District Attorney’s Office to protect the confidentiality of the investigation, according to the statement.
Onaghinor is charged with one felony count of accessing and using computer data to commit fraud or to control or obtain money, property or data, along with eight felony counts of unlawful transfer of identifying information for identity theft, according to the felony complaint for arrest warrant.
“We’re exploring all possibilities to bring him back to Los Angeles,” said Deputy District Attorney Donn Hoffman.
The prosecutor noted that the quality of the phishing e-mails was “very good” and said the e-mails were “persuasive.”
“There certainly are other people involved,” Hoffman said. “This kind of crime really isn’t a single-person operation so much.”
He said the investigation is continuing and that he is hopeful others will be prosecuted.
Los Angeles County District Attorney Jackie Lacey said in a statement that her office has “devoted significant resources to developing cutting-edge expertise and relationships that allow us to hold transnational cyber-criminals accountable.”
“My office will work aggressively to bring this criminal hacker and others to Los Angeles County where they will be prosecuted to the fullest extent of the law,” Lacey said.
The county noted that it is committed to helping anyone whose personal information — including first and last names, dates of birth, Social Security numbers, driver’s license or state identification numbers, payment card information, bank information, home addresses and phone numbers — may have been compromised by the phishing attack
The county is offering free identity monitoring for potentially affected individuals that includes credit monitoring.
The county has also offered a call station for anyone seeking additional information about the phishing attack. The call center can be reached Monday through Friday, between 8 a.m. and 5 p.m. PST at 855-330-6368.
A website has also been established at https://www.211la.org/important-notice/.