The **County of Contra Costa** experienced a **data breach** in **September 2022** due to a **phishing attack** targeting two employee email accounts. Unauthorized parties potentially accessed sensitive personal information stored in emails and attachments. The breach affected **15,591 individuals**, primarily residents with California mailing addresses, who received notification letters in **May 2023**. The exposed data led to risks of identity theft and fraud, prompting a **class-action lawsuit** alleging inadequate security measures. The county settled, offering affected individuals **up to $5,500 in compensation** (covering out-of-pocket expenses, lost time, and extraordinary fraud-related costs) and **two years of credit monitoring**. While the county denied liability, the incident highlighted vulnerabilities in handling **employee-managed sensitive data**, with potential long-term reputational and financial repercussions for victims.
Source: https://www.claimdepot.com/settlements/contra-costa-settlement
Contra Costa County cybersecurity rating report: https://www.rankiteo.com/company/contra-costa-county
"id": "CON1903419111925",
"linkid": "contra-costa-county",
"type": "Breach",
"date": "9/2022",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': '15,591 individuals (with '
'California mailing addresses)',
'industry': 'Public Administration',
'location': 'Contra Costa County, California, USA',
'name': 'County of Contra Costa',
'type': 'Local Government'}],
'attack_vector': 'Email Phishing',
'customer_advisories': 'Credit monitoring enrollment instructions provided',
'data_breach': {'data_exfiltration': 'Likely (unauthorized access to '
'emails/attachments)',
'file_types_exposed': ['Emails',
'Attachments (e.g., PDFs, documents)'],
'number_of_records_exposed': '15,591 individuals',
'personally_identifiable_information': ['Names',
'Addresses',
'Potentially: SSNs, '
'financial data, '
'health data (if '
'included in emails)'],
'sensitivity_of_data': 'High (PII, potential financial/health '
'data in emails)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Emails',
'Attachments']},
'date_detected': '2022-09-20',
'date_publicly_disclosed': '2023-05-10',
'description': 'The County of Contra Costa experienced a phishing incident in '
'September 2022, where unauthorized parties accessed emails '
'and attachments in two county employee accounts. This led to '
'a class action lawsuit alleging failure to adequately protect '
'personal information. A settlement was reached in May 2023, '
'offering affected individuals up to $5,500 in compensation '
'and two years of credit monitoring.',
'impact': {'brand_reputation_impact': 'Negative (public disclosure, lawsuit, '
'settlement)',
'customer_complaints': 'Class action lawsuit filed (15,591 '
'affected individuals)',
'data_compromised': ['Emails',
'Attachments (likely containing PII)'],
'financial_loss': {'administration_costs': 'To be determined',
'attorneys_fees': '$150,000 (max)',
'class_representative_award': '$2,500 (max)',
'settlement_fund': 'Undisclosed (covers claims '
'up to $5,500 per person + '
'credit monitoring)'},
'identity_theft_risk': 'High (PII exposed; claims include identity '
'theft/fraud expenses)',
'legal_liabilities': 'Class action settlement (financial '
'compensation + credit monitoring)',
'payment_information_risk': 'Potential (if attachments contained '
'financial data)',
'systems_affected': ['2 Employee Email Accounts']},
'initial_access_broker': {'entry_point': 'Phishing Email (compromised '
'employee accounts)',
'high_value_targets': ['Employee Email Accounts']},
'investigation_status': 'Resolved (settlement reached)',
'motivation': 'Likely Financial Gain (Data Theft/Exploitation)',
'post_incident_analysis': {'corrective_actions': ['Settlement agreement '
'(compensation)',
'Likely: Enhanced email '
'security training, MFA '
'implementation (not '
'explicitly stated)'],
'root_causes': ['Phishing vulnerability',
'Inadequate email security '
'controls',
'Lack of multi-factor '
'authentication (MFA)']},
'references': [{'source': 'Class Action Settlement Notice'},
{'source': 'Contra Costa County Official Statements (if any)'}],
'regulatory_compliance': {'legal_actions': 'Class action lawsuit (settled)',
'regulations_violated': ['Potentially: California '
'Consumer Privacy Act '
'(CCPA)',
'California Data Breach '
'Notification Law'],
'regulatory_notifications': 'Data breach '
'notifications sent to '
'affected individuals '
'(May 2023)'},
'response': {'communication_strategy': 'Data breach notification letters '
'(sent ~May 10, 2023)',
'incident_response_plan_activated': 'Likely (investigation '
'conducted)',
'recovery_measures': 'Settlement agreement (compensation + '
'credit monitoring)'},
'stakeholder_advisories': 'Settlement notices sent to affected individuals '
'(May 2023)',
'threat_actor': 'Unauthorized Parties (Unknown)',
'title': 'Contra Costa County Data Breach (September 2022)',
'type': ['Data Breach', 'Phishing'],
'vulnerability_exploited': 'Human Error (Phishing Susceptibility)'}