The California State Controller’s Office (SCO) has fallen victim to a data breach, with the records of more than 9,000 people reportedly stolen.

The agency said an employee of its unclaimed property division clicked on a link in an email they received, entered their user ID and password as prompted and unknowingly provided an unauthorised user access to their email account.

The compromised account had personal identifying information in unclaimed property holder reports, the SCO believes.

“The improperly accessed email account was discovered promptly, and access removed. 

SCO unclaimed property division personnel immediately began a review of all emails in the account for personal identifying information that may have been viewed,” the agency said.

However, as the unauthorised user sent potentially malicious emails to some of the SCO employee’s contacts, a notice was emailed to them advising they delete the email and not click on any links in it, the SCO added.

The unauthorised user had access to the account for around 25½ hours from 13:42 18 March.

According to the Krebs on Security investigative website, the phishing attacker used that time to steal social security numbers and sensitive files on thousands of state workers, and to send targeted phishing messages to at least 9,000 other workers and their contacts.

The SCO is also responsible for accountability and disbursement of the state government’s financial resources, independently auditing government agencies that spend state funds, and administering the payroll systems for state government and California State University employees, as well as safeguarding lost property until claimed by the rightful owner.

Register here to receive the latest cyber security news straight to your inbox