The city of Grass Valley in California, recently announced it had experienced a large-scale data leak. The breach involved the personal Social Security numbers and other sensitive information of every city employee and vendor. The leak also included data on any individual whose personal information had been shared with the local Grass Valley Police Department.

Disclosure of leaked data

Located close to the city of Sacramento, Grass Valley has a population of approximately 13,000, and it was originally named Centreville. In a recent security advisory, the city confirmed that as well as Social Security numbers, both health insurance details and driver’s licence numbers belonging to Grass Valley personnel, former employees, dependents, spouses and vendors were all leaked.

It added that people whose personal information was provided to the local police departments, such as full names, driver’s licence numbers, Social Security numbers, health insurance information, payment card information, financial account information and passport numbers, among others, were also compromised during the data breach.

Furthermore, individuals who had completed loan applications and submitted them to Grass Valley’s Community Development Department were also added to those whose data was involved in the leak.

Details following the data breach

According to members of Grass Valley’s government, the data breach started back in 2021 on 13th April, and data files were moved out of its dedicated network until 1st July. The city stated that by December, it possessed a clearer understanding of the incident’s scope and how much information had been lost during the breach. At this point, in line with government legislation, it started to issue notification letters to all breach victims. The first of these missives were sent on the 7th January this year.

According to a statement from the city, only those individuals whose driver’s licence number or Social Security number was leaked will receive aid in the form of one year’s worth of free protection against identity theft and a professional credit monitoring system. An update was later released confirming to victims that Grass Valley was unable to determine if a specific individual’s personal data was lost in the extensive breach. It explained:

“We have learned that some individuals are calling the phone number provided to inquire ‘has my identity been affected?’ The call centre is unable to ‘look up names’ specifically. Rather, we ask that if you fall into one of these categories that you specify to the call centre the category in which you fall and ask to have them provide you with a use-code to enrol in Experian’s IdentityWorksSM credit monitoring service.”

Given the personal nature of the data retained by cities and local authorities on their networks, it is always advised that encryption software is employed to safeguard such personal information. In the event that a data breach occurs or private information is exposed online, the negative impacts can be mitigated, as files will stay inaccessible to any unauthorised individuals who are not in possession of their dedicated decryption key.