The reported phishing attack on an employee at the California State Controller's Office happened last Thursday, lasting an estimated 25 hours before staff caught it.

The reported phishing attack on an employee at the California State Controller's Office happened last Thursday, lasting an estimated 25 hours before staff caught it.

Photo credit Getty Images

A sweeping data breach at the California State Controller's Office has reportedly exposed personal records and sensitive information belonging to thousands of people, including state employees and their contacts.

The incident, caused by an employee at the agency's Unclaimed Property Division clicking on a phishing email, happened last Thursday, according to a "Notice of Data Breach" posted by the state on Saturday. By clicking on a link and providing their login information, an "unauthorized user" gained usage of the state employee's account for roughly 25 hours.

The unauthorized user had access to records in the state's Unclaimed Property Holder Reports, said the state's release.

However, cybersecurity blog Krebs On Security reported "the intruders used that time to steal Social Security numbers and sensitive files on thousands of state workers, and to send targeted phishing messages to at least 9,000 other workers and their contacts."

An anonymous source told the website the hacker also had access to the employee's Microsoft Office 365 files, something the controller's office denied.

"(State Controller Office) team members have identified all personal information included in the compromised email account and begun the process of notifying affected parties," a spokesperson for the controller's office told the website. "The Controller is going over and beyond the notification requirements in law by providing both actual mailed notification and substitute notification in an effort to ensure the broadest possible notification."

Once the data breach was discovered, it was promptly removed.

Staff then conducted a thorough review and reached out to anyone in the employee's contact list that could have been impacted, the state said.