A cyber-attack on a city in California has resulted in the exfiltration of personal and financial data belonging to vendors, city employees, and their spouses.
A data security incident notice published by the City of Grass Valley states that an unknown attacker was able to access some of the city’s IT systems for four months last year.
The city said that the attacker exploited the unauthorized access they enjoyed between April 13 and July 1, 2021, to steal data belonging to an unspecified number of individuals.
Victims affected by the data breach include Grass Valley employees, former employees, spouses, dependents, and individual vendors hired by the city. Other victims include individuals whose information may have been provided to the Grass Valley Police Department, as well as individuals whose information was provided to the Grass Valley Community Development Department in loan application documents.
The statement does not reveal the date upon which the presence of the threat actor was detected by Grass Valley but claims that the city “immediately took steps to secure our network, contacted law enforcement, and began an investigation with the assistance of a cybersecurity firm.”
A review of which files had been accessed by the threat actor and what data had been compromised was concluded on December 1. Information exposed during the attack was found to include Social Security numbers, driver’s license numbers, vendor names, and limited medical or health insurance information.
For individuals whose information may have been provided to the Grass Valley Police Department, the impacted data included name and one or more of the following: Social Security number, driver’s license number, financial account information, payment card information, limited medical or health insurance information, passport number, and username and password credentials to an online account.
Those who had applied for a community development loan may have had names and Social Security numbers, driver’s license numbers, financial account numbers, and payment card numbers compromised.
Grass Valley started notifying victims of the data breach on January 7, 2022.
The city said: “To help prevent something like this from happening again, we continue to review our systems and are taking steps to enhance our existing security protocols.”