Friday, April 12, 2024

Cd'A notifies 57 in Idaho of data breach

Staff Writer | March 30, 2024 1:00 AM

COEUR d’ALENE — The city of Coeur d’Alene recently sent 57 notifications to Idaho residents whose personal information was accessed in a ransomware attack last month.

The affected data included names, Social Security numbers and driver’s license and/or state identification card numbers, according to a March 12 letter to the Office of the Idaho Attorney General from attorney Matt Meade of the firm Eckert Seamans Cherin and Mellott in Pittsburgh.

“At this time, we are not aware of any misuse of your information,” according to a letter from the city, also dated March 12 and sent by Meade to the AG’s office. “However, we are providing this notice to you to inform you of the incident, offer complimentary identity monitoring services, and suggest ways that you can protect your information.”

The city shut down its computer network Feb. 11 after malware was detected in its system. The city's website was offline, records were not accessible and phones were down for several days.

In a Feb. 12 press release, the city said it was working with nationally recognized third-party cybersecurity and data forensics consultants and following industry best practices while developing a strategic plan to address the issue. 

The city has since brought its network back online, but an investigation of the incident continues.

Idaho Code 28-51-105 requires an Idaho public agency to notify the Attorney General’s Office within 24 hours of discovering a breach of its security system.

In the March 12 letter signed by City Clerk Renata McLeod, it states: “Through our investigation, we learned that there was unauthorized access to the City’s network between February 4 and February 11, 2024, and that the cyber criminals removed certain files from our servers during the attack. As soon as we learned this, we began an extensive review to determine what information may have been involved and who may have been affected, so that we could provide notice. On February 29, 2024, we completed the review and began locating mailing addresses for individuals whose information was impacted, so that we could provide them with written notice of this incident.”

Under Idaho law, the city was required to send the notification to the persons identified by its investigation. It also notified 68 residents outside Idaho whose data "was impacted."

The notice includes advice on how to protect one’s identity, obtain free credit reports and security freezes, as well as instructions for enrolling in a one-year, complimentary membership with Experian for credit monitoring and identity theft services. 

“Our investigators searched Dark Web sources and found no indication that any personal information that the city maintains had been released or offered for sale as a result of this incident,” the city letter states. 

The information was not used or sold by the person or persons behind the cyber incident, "but was merely encrypted," according to one city officials.

To further enhance its security and to help prevent similar occurrences in the future, the city said it has taken or will be taking several steps: 

1. Deploying security tools to enhance detection and accelerate response to cyber incidents.

2. Conducted enterprise-wide password reset.

3. Investing in hardware and system enhancements to further protect against cyber incidents. 

The city recommended those affected remain alert for incidents of fraud and identity theft by regularly reviewing account statements and report any incidents of suspected identity theft.

Meade's letters to the AG's office and the city's sent out to resident are available on the AG's website.

"Please accept our apologies that this incident occurred. We remain fully committed to maintaining the privacy of personal information in our possession and will continue to take many precautions to safeguard it," the city's letter states.