Spoofed CEO email causes data breach at health care provider

On February 3, 2016, an “unidentified third person” obtained an Excel spreadsheet containing the “personal information for all active employees” of the California rehabilitation and nursing home provider Magnolia Health Corporation by impersonating its CEO, Kensett “Kenny” J Moyle, and “using what appeared to be his email address”.

In a notification letter sent to all employees, the Magnolia Health CEO said: “It was not until February 10, 2016 that we realized that this information had not been requested by anyone at MHC and that it had been disclosed to an unauthorized third person whose identity is presently unknown.”

The breached information included: “Employee Number, Name, Address, City, State, Zip, Sex, Date of Birth, Social Security Number, Hire Date, Seniority Date, Salary/Hourly, Salary/Rate, Department, Job Title, Last Date Paid, and [name of applicable] Facility” for each person. Staff have been offered free identity theft prevention and mitigation services

Business email compromise

CEO fraud is a very lucrative scam for criminals. According to the FBI, 7,066 US businesses fell victim to business email compromise (BEC) between October 2013 and August 2015, losing $747,659,840.63.

“These totals, combined with those identified by international law enforcement agencies during this same time period, bring the BEC exposed loss to over $1.2 billion.”

Staff training

It’s essential that all staff are properly trained to recognize spoof emails. With an IT Governance Employee Phishing Vulnerability Assessment, you can see whether your staff are likely to put you at risk. The test will simulate a phishing campaign for a targeted sample of your employees, enabling you to assess your employees’ awareness of spoof email attacks and take remedial action in order to address any security gaps that are identified.

Coupled with our Phishing Staff Awareness Course, which educates staff on the risks of spoof emails, you can help your team understand how phishing works, what tactics cyber criminals employ, and how to spot and avoid phishing campaigns.

Find out how to protect your business from spoof emails >>