sanmarcostx.gov sanmarcostx.gov

An evaluation of the City of San Marcos 2017 phishing

incident that led to the release of 800 employee’s W2s

THIS COULD HAPPEN TO YOU!

sanmarcostx.gov sanmarcostx.gov

• Incident

•Response

•What We Learned

sanmarcostx.gov sanmarcostx.gov

Headline

NEWS

sanmarcostx.gov sanmarcostx.gov

Phishing email led to the

release of 800 current & former

employee’s W2s

Incident

sanmarcostx.gov sanmarcostx.gov

Where it all began….

sanmarcostx.gov sanmarcostx.gov

Where it all began….

sanmarcostx.gov sanmarcostx.gov

Where it all began….

sanmarcostx.gov sanmarcostx.gov

Where it all began….

sanmarcostx.gov sanmarcostx.gov

Where it all began….

sanmarcostx.gov sanmarcostx.gov

Where it all began….

sanmarcostx.gov sanmarcostx.gov

Where it all began….

sanmarcostx.gov sanmarcostx.gov

Red flags

sanmarcostx.gov sanmarcostx.gov

Red flags….

sanmarcostx.gov sanmarcostx.gov

• Finance

• Human Resources

• Information Technology

• City Manager’s Office

• Communications

• Police

City Response Team

sanmarcostx.gov sanmarcostx.gov

Timeline

Received notice from two employees from

the same department that Turbo Tax rejected their online tax filing

Contacted IRS in reference to

the notice & IT began internal

correlation between two

employees’ computers

IT made Risk Manager aware

of a potential phishing email

that had potentially been

replied to by a City employee

Following business day, received

more notices of online filing rejections

from additional employees in different departments.

IT began an extensive data analysis which

resulted in finding that a response to the phishing email was actually sent to the phisher. Phishing Incident Identified

& City response began

sanmarcostx.gov sanmarcostx.gov

• City Leadership

• Department Staff

• Affected City Employees – Current

– Former

• Interviews with the Media

• Social Media

Communications

sanmarcostx.gov sanmarcostx.gov

• City Manager’s Office notification to employees – Email sent by CMO notifying employees of incident

• Risk Manager contacted Cyber Liability carrier – Carrier provided contact for a Breech Response Services

Company

– Coverage included outside legal counsel & Identity

Theft Protection

Response

sanmarcostx.gov sanmarcostx.gov

• Established internal single point of contact

• Distributed FAQs & Q&As to employees via email

• Developed detailed web page on employee portal

Response

sanmarcostx.gov sanmarcostx.gov

• Provided sample employee communications – Included required wording for Texas residents

– Provided separate requirements for minors or affected

former employees who had relocated out of state

• Suggested affected employees file a police report

• Worked with IRS to ‘flag’ affected employees

Outside Legal Counsel

sanmarcostx.gov sanmarcostx.gov

• Cyber Liability Coverage provided one year of

identity theft protection service through online

monitoring

– City added additional 2 years coverage

• All affected employees (current & former) received

notification letters by mail

• Current affected employees received letters in-person

• Computer lab set-up & staffed by City Response Team

for 2 weeks

Identify Theft Protection

sanmarcostx.gov sanmarcostx.gov

• Internal Revenue Service – Online

– In-person

• Employee Assistance Program

Resources

sanmarcostx.gov sanmarcostx.gov

End User Training: In-Person

sanmarcostx.gov sanmarcostx.gov

Awareness Pays Off

…until you hit reply.

O365 sensed fraud

sanmarcostx.gov sanmarcostx.gov

Moving Forward

Steps we have taken to mitigate future incidents

–Email Signatures

–External Source Warning

–End User Training

–O365 Data Loss Prevention Policies

–Online Security Training

–Phishing Test Campaigns

sanmarcostx.gov sanmarcostx.gov

Email Signatures

• Standardization

Benefits:

• Professional appearance

across the organization

sanmarcostx.gov sanmarcostx.gov

External Source Warning

sanmarcostx.gov sanmarcostx.gov

End User Training: In- Person

sanmarcostx.gov sanmarcostx.gov

End User Training: Via Email

sanmarcostx.gov sanmarcostx.gov

Microsoft Office 365

Data Loss Prevention Policies

With a DLP policy we can:

• Identify sensitive information across many locations, such as Office 365 emails, SharePoint Online, and OneDrive for Business.

• Detect sensitive information in message attachments, body text,

or subject lines and adjust the confidence level at which Exchange takes action.

• Prevent the accidental sharing of sensitive information.

sanmarcostx.gov sanmarcostx.gov

Data Loss Prevention Policy Options:

• U.S. Financial Data

• U.S. Gramm-Leach-Bliley Act (GLBA)

• U.S. Health Insurance Act (HIPAA)

• U.S. Patriot Act

• U.S. Personally Identifiable Information (PII) Data

• U.S. State Breach Notification Laws • U.S. State Social Security Number Confidentiality Laws

sanmarcostx.gov sanmarcostx.gov

Data Loss Types

we selected to encrypt:

• Credit Card Number

• U.S. / U.K. Passport Number

• U.S. Bank Account Number

• U.S. Driver's License Number

• U.S. Individual Taxpayer Identification Number (ITIN)

• U.S. Social Security Number (SSN)

• ABA Routing Number

• Drug Enforcement Agency (DEA) Number

sanmarcostx.gov sanmarcostx.gov

Phishing Test Campaigns

sanmarcostx.gov sanmarcostx.gov

Sample Report Phishing Test Campaigns

Reports will show vulnerability

*KnowBe4 graphic

sanmarcostx.gov sanmarcostx.gov

Training Campaigns

sanmarcostx.gov sanmarcostx.gov

Lessons Learned • Assume worst case scenario

• Single point of contact

• Having Cyber Liability Coverage

• Rapid Response

• Communication, Communication, Communication

– Involve communication department

– Consistency of message

– Frequency of message

– Rapidly changing information

sanmarcostx.gov sanmarcostx.gov

It’s not over yet…

there could be more to come…

sanmarcostx.gov sanmarcostx.gov

Questions, Comments or Concerns?