The Los Angeles County Department of Health Services (DHS) says 47,000 individuals were impacted in a data breach caused by an employee falling victim to a push notification spamming attack.
“A hacker circumvented the multi-factor authentication safeguards of an employee’s Microsoft 365 account through a method commonly referred to as ‘push notification spamming’,” the DHS said in an incident notice (PDF).
Also referred to as push notification fatigue, the attack technique targets multi-factor authentication (MFA) that relies on push notifications on the user’s device, prompting them to approve login attempts after entering their username and password.
The attackers inundate the user’s device with MFA push notifications, causing the user to believe that there could be a glitch and to approve the login attempt.
“We believe that the cyber-attack may have provided the attacker with access to certain personal information,” the organization told the potentially impacted individuals.
Potentially compromised information includes names, dates of birth, home addresses, phone numbers, email addresses, government ID, Social Security numbers, health insurance information, and medical information.
“Upon discovery of the phishing attack, we acted swiftly to disable the impacted email account, reset and reimaged the user’s device(s), blocked websites that were identified as part of the phishing campaign and quarantined all suspicious incoming emails,” DHS said.
In an announcement on the LA Country’s website, DHS revealed that roughly 47,000 people might have been affected. The health agency is notifying the individuals by mail and is providing them with one year of free identity monitoring services.
The incident occurred on February 6, roughly two weeks before another data breach that the Los Angeles County DHS revealed in April. It is unclear whether the two incidents were related.
The previously disclosed incident occurred between February 19 and February 20, after hackers accessed the email accounts of 23 DHS employees, compromising the personal information of 6,085 individuals. The LA County’s Department of Public Health (DPH) and Department of Mental Health were also affected.
*Updated with the number of potentially impacted individuals.
Related: Snowflake Attacks: Mandiant Links Data Breaches to Infostealer Infections
Related: 750k Impacted by Frontier Communications Data Breach
