Would-be hackers duped 280 Kansas City employees into opening the door to municipal computer systems sometime in the last six months, a city audit report said.
Each employee had given up log-in credentials after responding to an email that had been sent to collect just such critical information. They’d fallen for what is commonly called a phishing attack.
Luckily, these were would-be hackers. The attack was a fake, specifically a test conducted by city auditors.
“We phished ourselves to see how we’d do,” city auditor Douglas Jones said Thursday.
Jones said he wanted to know not only how employees would treat the phishing email but also how the city’s information technology teams would handle the breach, to which they had not been privy.
So, how’d they do?
“Not bad,” Jones said. “But it only takes one to give you their information.”
The audit report said it this way. “Had our test been an actual phishing email, a hacker would have about 280 chances to infiltrate the city’s information systems.”
It noted that the 280 included employees from all city departments and included some with greater access to personnel and other key systems.
Cybersecurity has become a hot topic following dramatic cyber attacks against Sony Corp. over its movie about a fictional assassination attempt on North Korea’s leader. That event, plus widely publicized attacks on retailer Target Corp. and Home Depot Inc. sparked Kansas City’s test.
Official results and recommendations from Kansas City’s test came out this week in a report to Mayor Sly James and the City Council. Work is underway on written policies to direct the IT department’s response to phishing attacks like this test, the audit report said. The city already has a “cyber terrorism mitigation plan” that would respond to larger scale attacks that might force moving operations to an alternate site.
And all employees are in for mandatory training.
It’s a standard two-prong approach that relies on technology to defend against attacks and smart behavior by individuals to recognize and avoid traps. Employers recognize that employees are the first line of defense, especially in the case of a simple phishing email.
Here’s how it played out at City Hall, though Jones isn’t saying when the test took place.
The test began as 3,115 fake phishing emails started landing in employees’ in boxes. Within the hour, 66 employees had clicked on the email’s link to a fake website set up for the test. In hour two, 226 more clicked through followed by 195 in hour three.
Kansas City’s IT staff spotted the phishing email early in the fourth hour and began alerting employees. The effort helped reduce the potential for damage, as clicks to the fake website fell to 62 in that hour, and then fell by half in each of the next three hours.
Among other steps, the city IT staff deleted the phishing email from the system so no one would be able to click on it, the audit said. It also noted that the deletion did not happen for at least a day.
Employees who had given up their log-in information were instructed to change their passwords if they’d clicked on the phishing email’s link. Tracking their actions found that two thirds had done so during the first 24 hours, but that 30 percent had not changed their passwords within 48 hours after the attack.
The audit report noted that some employees guessed the email was an attack and provided fake credentials. Not a good idea.
“Just clicking the website link in the email could expose the city’s information systems to risk,” the report said.