The City of Tucson in Arizona, USA recently disclosed an extensive data breach impacting the personally identifiable information (PII) of over 125,000 data subjects.

The incident was revealed when the city sent out a dedicated data breach notice to people affected by the event. The widespread data leak was the result of an insidious threat operator breaching Tucson’s network and then exfiltrating a yet undisclosed number of data files that contained confidential information and PII.

Secure network accessed by attackers

An investigation into the incident has uncovered that the threat operators behind the attack on the city had access to its network from May 17 to May 31. During this period, it is believed that the attackers may have accessed and obtained documents that contained the information of 123,513 different data subject.

The City of Tucson data breach notice explained:

“On May 29, 2022, the City learned of suspicious activity involving a user’s network account credential and on August 4, 2022, the City learned that certain files may have been copied and taken from the City’s network.”

After its review of the incident, the City started notifying individuals who were potentially impacted by the attack on September 23. The data subjects contacted face a potential threat that their sensitive personal information may have been exposed in the incident, with the threat operators able to access their name and designated Social Security numbers along with other types of PII.

In a separate announcement delivered via its official website, the City of Tucson added:

“On September 12, this review concluded, and the review determined that the information at issue included certain personal information. The information within the potentially accessed files included certain individuals’ name, Social Security number, driver’s license or state identification number, and passport number.”

Determining misuse of personal information

Breach notification letters that were issued to impacted individuals also stated that no evidence was uncovered that any personal information had been misused to date.

However, all individuals affected by the data breach have been recommended to monitor their personal credit reports for any signs of suspicious activity that might hint at possible attempts at identity theft or fraud using their persona data.

As recompense and support, the city is providing all impacted individuals with one years’ worth of free access to identity protection and credit monitoring services from Experian, as well as expert guidance on how to defend against potential threats of identity theft.

The notification of a data breach sent out to affected data subjects reaffirmed that The City of Tucson takes the security of information held in its possession as a priority and formally apologised for any inconvenience caused by the event to those impacted.

The notice added that as part of its continuing commitment to securing all information in its care, the City is now reviewing its present procedures and policies regarding cybersecurity and assessing further safeguards and measures it can take to prevent this type of incident occurring again in the future.