BREAKING AT&T Data Breach: ‘Nearly All’ Wireless Customers Exposed in Massive Hack
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Breaches

Push Notification Fatigue Leads to LA County Health Department Data Breach

The Los Angeles County Department of Health Services discloses a data breach caused by push notification spamming attack.

The Los Angeles County Department of Health Services (DHS) says 47,000 individuals were impacted in a data breach caused by an employee falling victim to a push notification spamming attack.

“A hacker circumvented the multi-factor authentication safeguards of an employee’s Microsoft 365 account through a method commonly referred to as ‘push notification spamming’,” the DHS said in an incident notice (PDF).

Also referred to as push notification fatigue, the attack technique targets multi-factor authentication (MFA) that relies on push notifications on the user’s device, prompting them to approve login attempts after entering their username and password.

The attackers inundate the user’s device with MFA push notifications, causing the user to believe that there could be a glitch and to approve the login attempt.

“We believe that the cyber-attack may have provided the attacker with access to certain personal information,” the organization told the potentially impacted individuals.

Potentially compromised information includes names, dates of birth, home addresses, phone numbers, email addresses, government ID, Social Security numbers, health insurance information, and medical information.

“Upon discovery of the phishing attack, we acted swiftly to disable the impacted email account, reset and reimaged the user’s device(s), blocked websites that were identified as part of the phishing campaign and quarantined all suspicious incoming emails,” DHS said.

In an announcement on the LA Country’s website, DHS revealed that roughly 47,000 people might have been affected. The health agency is notifying the individuals by mail and is providing them with one year of free identity monitoring services.

Advertisement. Scroll to continue reading.

The incident occurred on February 6, roughly two weeks before another data breach that the Los Angeles County DHS revealed in April. It is unclear whether the two incidents were related.

The previously disclosed incident occurred between February 19 and February 20, after hackers accessed the email accounts of 23 DHS employees, compromising the personal information of 6,085 individuals. The LA County’s Department of Public Health (DPH) and Department of Mental Health were also affected.

*Updated with the number of potentially impacted individuals.

Related: Snowflake Attacks: Mandiant Links Data Breaches to Infostealer Infections

Related: 750k Impacted by Frontier Communications Data Breach

Related: BBC Data Breach Impacts 25,000 Employees

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

ICS and OT cybersecurity solutions provider TXOne Networks appoints Stephen Driggers as new CRO

Identity orchestration provider Strata Identity appoints Aldo Pietropaolo as Field CTO

Cybersecurity provider for the aviation industry Cyviation has appointed Eliran Almog as Chief Executive Officer.

More People On The Move

Expert Insights