Tucson data breach puts 123,500 individuals’ information at risk

The city of Tucson has reported a data breach that put more than 123,500 individuals’ personal information at risk for fraudulent use.

The potentially stolen data includes individuals’ names, Social Security numbers, driver’s license or state identification numbers and passport numbers, the city says.

Tucson has sent letters to all those whose data was left vulnerable in the breach and offered a year’s worth of credit monitoring services to help detect identity fraud and other harmful uses of personal information.

According to Principal Assistant City Attorney Roi Lusk, the city detected suspicious activity May 29 when someone hacked into a user’s account and may have copied data from the city’s network.

The city shut down its website and online services for two days after discovering the activity “to make sure that no additional information can be taken or any additional harm can be done,” Lusk said.

People are also reading…

The city brought on forensic specialists to examine the nature of the breach in an investigation that lasted five weeks and revealed the sensitive nature of the data potentially copied from the city’s network and those whose information could have been leaked. Notices were mailed to affected individuals Sept. 29.

There is no indication the information leaked has been used fraudulently, according to Lusk, based on scans of the dark web in conjunction with forensic specialists and state and federal partners. For the majority of those notified, their information was left vulnerable in the breach, “we can’t determine for certain that information even left the network,” Lusk said.

Those the city notified their personal information was left vulnerable include current and former city employees, licensees of the city and even those who haven’t done business in the city due to a verification process the Department of Revenue conducts to ensure people aren’t operating businesses in cities where they don’t pay taxes, according to Lusk.

According to Jim Van Dyke, the senior vice president of innovation at Sontiq, an identity security company, municipal data breaches are relatively common, but the nature of Tucson’s data leak is “pretty bad” due to the three government identifiers that were potentially leaked.

The combination of leaked Social Security, driver’s license and passport numbers increase an individual’s likelihood of new credit or loan accounts being fraudulently taken out in an individual’s name. Another risk posed by the city’s data breach is legal evasion, where someone can attempt to steal another’s identity with the intent to commit unlawful activity and evade detection, according to Van Dyke.

“This is a particular breach in which people need to take active steps to protect themselves,” he said. Breached individuals “definitely should not ignore it, and if they have that feeling of helplessness, realize that that’s common, and yet, they don’t want to let themselves get into a state of inertia. … It’s a good opportunity just to go back through some standard procedures. And in this case, walk or freeze your credit, notify law enforcement and set fraud alerts on your credit report.”

Van Dyke said everyone who received a notice from the city should take advantage of the free credit monitoring services.

To increase the city’s data security efforts, Lusk said Tucson is determining how the city can better protect user information in the future. The city has hired third-party forensic specialists to monitor more than 6,000 city servers, laptops and PCs used to conduct city business while enhancing monitoring systems that alert staff to security breaches.

“The difficulty is these attacks happen every day, every day. For the most part, our IT department does a fantastic job of keeping us safe and keeping that data safe. But of course, it only takes one failure of any part of that system to cause some issues,” Lusk said. “We’re evolving all the departments, and we’re evolving leadership all the way down to the individual city employee to make sure that this kind of thing doesn’t happen.”

The data breach occurred after the former head of Tucson’s IT department Colin Boyce resigned. Lusk said interim directors took charge of managing the data breach, and new Chief Information Officer Christopher Mazzarella came on board early to aid in the efforts.

The City Council approved Mazzarella’s hiring as the head of the city’s IT efforts on Oct. 5. He previously led IT strategy development for Raytheon Missiles and Defense.

More resources to protect your information

Consumers are entitled to one free credit report a year from each of the three major credit reporting bureaus: Equifax, Experian and TransUnion. Check your credit report at annualcreditreport.com.

You can place a fraud alert or credit freeze on a credit file for free by contacting a credit bureau.

For more information on identify theft, visit: identitytheft.gov

For more information on the city of Tucson’s data breach, visit: tucsonaz.gov/home/announcement/city-tucson-data-security-event

ICYMI: Watch the Star’s top videos from the past week

Watch Now: Trail cameras catch mountain lions at Tucson home.

Watch Now: Breaking down Arizona’s 49-22 loss to No. 12 Oregon

Watch now: There’s a reason why we call it ‘Tucson Eat Yourself’

Watch Now: Mica Mountain players wish teammate a happy birthday

Watch now: Candlelight vigil held at UA for Thomas Meixner

Watch Now: Gar and Goyle pick on guests at Nightfall

Watch now: Tucson Meet Yourself 2022 weekend preview

Watch Now: The Arizona Insect Festival Returns

Watch now: Scattered showers sweep over Tucson’s north side

Watch now: UAPD addresses fatal shooting on campus

Watch now: Tucson classes teach dogs to avoid snakes

Watch now: Tucson Pride returns with downtown parade on Sept. 30

Watch Now: Arizona’s Henri Veesar, Oumar Ballo look back on Wildcats’ Red-Blue Game

Video: Arizona Game and Fish discusses mountain lion safety

Contact reporter Nicole Ludden at [email protected]


Comments are closed.