Orange County’s top prosecutor office says it was hit with a cybersecurity “breach” on Friday.
The breach was announced on Monday, when Spitzer’s office said a “portion” of its Information Technology system was impacted.
It comes as OC District Attorney Todd Spitzer’s office has been responding to a 2021 report on cybersecurity risks by internal county auditors, who found three “critical” and five “significant” weaknesses in cybersecurity controls administered by the DA.
Those findings included risks of unauthorized access and “malicious” malware to internal District Attorney systems.
“Immediate action was taken to shut the system down when OCDA’s cybersecurity infrastructure alerted us to a possible breach Friday to prevent further intrusion into our system or other related systems,” the statement reads, adding that upon learning of the attack, DA staff “immediately” enacted a plan to investigate the source.
The DA’s office says it implemented a series of “protocols” to “ensure that the Orange County criminal justice system continues to function efficiently.”
“To contain any effects of the cybersecurity incident, we isolated our network communications,” reads the news release.
As of Monday afternoon, DA officials did not respond to requests for information about the size of said “portion” and whether the data has since been secured.
Cybersecurity has been a controversial topic in county government.
In 2017, Voice of OC reported on a draft county audit of computer networks run by the county’s central IT office, used by most county offices, like health and social services, probation, public works, and child support services.
At the time, auditors found that county officials left the government vulnerable to hacking and other malicious activity, with several critical computer systems lacking up-to-date software and former workers having continued access to the back-end of county computer networks even after they left their jobs.
In 2021, county auditors reviewed cybersecurity controls at the DA’s office in a report that found the following risks:
- “Unauthorized logical access to, and exposure of, sensitive data.
- Known vulnerabilities not patched could be exploited by threat actors to gain unauthorized access and perform malicious actions.
- Installation, spread, and execution of malicious code that could result in a cybersecurity incident such as data exposure and unauthorized access.
- Incomplete backup data or data cannot be restored successfully when needed.”
Internal county auditors’ most recent public-facing follow up on that DA report, published in February of this year, found that as of Sept. 30, 2022, five of the recommendations had been implemented, while six were still in the process.
Reached for comment on Friday, OC Supervisor Doug Chaffee said, “Generally, our different departments are separate — so cybersecurity at the DA’s office doesn’t necessarily impact any of our other departments. Their system is different. We did not find any issue with any other department other than the attempt at the DA’s office.”
The other four Orange County Supervisors didn’t respond to calls for comment as of Monday afternoon.
Chaffee said he and other supervisors were notified of the breach by the County of Orange CEO Frank Kim, “who kept the supervisors informed there was a cybersecurity issue with DA’s office and appropriate people from IT department were on it.”
“Two hours later, I got another message from Frank, saying it was all clear that they made sure it wouldn’t affect anybody else and that the data was secure.”