Ventura County, California, is a small small county (population: 802,983 according to 2009 numbers from the US Census Bureau) north of the greater Los Angeles area. According to a March 29, 2011 story in the Ventura County Star entitled "Hacking of county system apparently extends beyond 2007", its credit card payment system for tax collections has apparently been hacked. The county's Treasurer-Tax Collector Steven Hintz is cited in this story as indicating that an earlier assessment that the hack affected only records related to the 2007 tax payments made by credit card is incorrect, and "...also involves payments made last year [2010]," according to Hintz, who himself paid by credit card in 2010 and received a phishing email over the past weekend (March 26-27) from cybercriminals based in the Philippines running an identity theft scam.
Cybercrooks apparently harvested e-mail addresses from county tax records, then used those addresses to phish those recipients. Other county residents believe that these attacks involve records from 2007 all the way through the end of 2010, during which time over 100,000 people paid county property tax bills online by credit card. For each year since 2007, in fact, the number of individuals paying by credit card has increased, from just over 18,000 for the 2006-2007 payment cycle (property taxes for each preceding year are due in January of the following year), up to over 31,000 for the 2009-2010 payment cycle.
The Ventura County Sheriff's Major Crimes Bureau is conducting an investigation, but the County DA is quoted as saying it would be "extremely difficult" given that this attack apparently originated outside the United States and was conducted purely online. County Treasurer Hintz said his office fielded calls from more than 1,400 residents who received phishing e-mails with the subject line "ePay Confirmation of Internet Payment" which present themselves as coming from the county tax assessor's office. Because the county's online system retains no personal or financial data about payors — other than their e-mail addresses, that is — county IT staff expressed confidence that cybercrooks were not able to harvest any such data from the system itself. That said, the leakage of e-mail addresses has obviously given would-be thieves a golden opportunity to seek such information directly from county residents via phishing e-mails.
A nearby independent network administrator close to the case named G.J. Goldwyn is quoted in the story attributing the hacking incident to a lack of informed, security-savvy consulting assistance. He is quoted as follows in the story as well:
This incident surely provides a cautionary message to public offices at all levels of government that controlling distribution of and access to resident, client, or public e-mail address information bears serious thought and consideration. Outright disclosure of such data only invites targeted phishing attacks.
Stu Sjouwerman
Cybercrooks apparently harvested e-mail addresses from county tax records, then used those addresses to phish those recipients. Other county residents believe that these attacks involve records from 2007 all the way through the end of 2010, during which time over 100,000 people paid county property tax bills online by credit card. For each year since 2007, in fact, the number of individuals paying by credit card has increased, from just over 18,000 for the 2006-2007 payment cycle (property taxes for each preceding year are due in January of the following year), up to over 31,000 for the 2009-2010 payment cycle.
The Ventura County Sheriff's Major Crimes Bureau is conducting an investigation, but the County DA is quoted as saying it would be "extremely difficult" given that this attack apparently originated outside the United States and was conducted purely online. County Treasurer Hintz said his office fielded calls from more than 1,400 residents who received phishing e-mails with the subject line "ePay Confirmation of Internet Payment" which present themselves as coming from the county tax assessor's office. Because the county's online system retains no personal or financial data about payors — other than their e-mail addresses, that is — county IT staff expressed confidence that cybercrooks were not able to harvest any such data from the system itself. That said, the leakage of e-mail addresses has obviously given would-be thieves a golden opportunity to seek such information directly from county residents via phishing e-mails.
A nearby independent network administrator close to the case named G.J. Goldwyn is quoted in the story attributing the hacking incident to a lack of informed, security-savvy consulting assistance. He is quoted as follows in the story as well:
"You can't rely just on regular IT people anymore," he said. "You really need to have an IT security consultant look at your system and tell you where your vulnerabilities are. Hackers are really, really smart and they're always one step ahead of everyone else."
This incident surely provides a cautionary message to public offices at all levels of government that controlling distribution of and access to resident, client, or public e-mail address information bears serious thought and consideration. Outright disclosure of such data only invites targeted phishing attacks.
Stu Sjouwerman