Charlottesville Officials Respond to Security Breach, Experts Offer Tips
CHARLOTTESVILLE, Va. (WVIR) - Thousands of people in Charlottesville have had their personal information compromised after a cyber security breach at City Hall.
Charlottesville officials say they don't think any of the leaked information has been misused and that no money has been lost. The information compromised includes social security numbers, addresses, and drivers license numbers.
Staff discovered the data breach while looking into an unrelated phishing scam and the city launched its investigation in May. The city is now in the process of notifying 10,700 current and former utility billing customers that their information has been compromised.
"It's been a whole different ballgame since August 2017, so we have to be constantly aware that these threats may be coming and that's both in the IT shop but it's also with every individual employee," said Charlottesville Director of Communications Brian Wheeler.
Richard Seweryniak, Piedmont Virginia Community College's Cyber Security Program Director, says there are steps organizations can take to make sure things like this don't give away people's information.
"One of the big things that I try to push companies is to have data encrypted at rest," Seweryniak said. "I know details are still coming out about the Charlottesville attack, but having the data encrypted would help prevent it from being stolen and if it were stolen, it would not be used at that time."
The city is now working with a team of lawyers and cyber security professionals. Employees are also receiving additional training to avoid future problems.
Charlottesville staff is already sending letters to the 10,700 people whose personal information was exposed. The letter will detail what information is vulnerable and connect customers to a team of cyber security professionals.
City of Charlottesville Press Release:
CHARLOTTESVILLE, VA - The City of Charlottesville is in the process of notifying about 10,700 of its current and former utility billing customers that a limited amount of their personally identifiable information may have been exposed via unauthorized access to a single City employee’s email mailbox. At any given time, the City has about 25,000 current water and natural gas customers.
At this time, the City is not aware of any misuse of the personal information of any of the individuals being notified as a result of this security incident. Out of an abundance of caution, the City is informing all affected parties about the incident.
During an investigation into the potential compromise of a single City employee’s personal information in an unrelated phishing scam, the City discovered that the email account of another employee was compromised during the period of March 19, 2019 to April 22, 2019. Upon learning of the issue, the City launched a thorough investigation in consultation with outside forensic experts who regularly investigate these types of incidents. The investigation determined that the affected customers’ information including names, addresses, Social Security Numbers, and in some cases driver’s license numbers was available within this account.
Letters will be mailed to the affected individuals in the coming days with additional information about the incident and guidance on steps the affected individuals can take to protect themselves and their information.
The City regrets that this exposure occurred. Our focus is on notifying the affected parties and ensuring that such an incident does not occur again. We take matters related to securing our computer systems and the confidential information of our employees, citizens, and customers very seriously.
Due to persistent and pervasive cybersecurity threats facing the City of Charlottesville, our Information Technology Department takes a proactive approach to preparing for threats to infrastructure, computing devices, user accounts and identification, data, and applications through cybersecurity protocols and procedures, advanced security hardware, software, and services, and the administration of cybersecurity awareness campaigns and training for the City staff.
The City has also taken this incident as an opportunity to provide employees with additional training related to computer security and email phishing scams and to implement new procedures about the sharing of sensitive data internally via email and in email attachments.