On August 6, media in Colorado reported that the City of Lafayette had paid $45,000 to get a decryption key following a ransomware attack.
On August 24, the city published a notification about the incident:
This public notice is intended to advise residents, employees, and customers of an incident involving a cyberattack on the City of Lafayette’s computer network system, and possible security breach of personal information stored on the City’s system. Although we are unaware of any actual acquisition or misuse of personal information, we are providing notice to potentially affected individuals about the incident and resources available to protect individuals against possible identity theft or fraud.
What Happened?
On July 27, 2020, a ransomware cyberattack on the City’s computer system disabled network services resulting in disruptions to phone service, email, and online payment and reservation systems. The City’s system was shut down and disconnected that morning, and any access the cyber criminals had was cut off at that time. We do not believe personal credit or debit card information was compromised because the City uses external PCI-certified payment gateways, which were not accessible or affected in the cyberattack. There is no evidence to suggest personal data was compromised, but out of an abundance of caution, residents and employees are advised to be vigilant to monitor accounts for suspicious activity.
What Information Was Involved?
Personal information the cyber criminals may have had access to includes first and last name, driver’s license or identification card number, medical information, health insurance identification number, and username and password or log-in credentials to online accounts. It is unknown whether the cyber criminals copied any information from the City’s network. Specific examples of personal information that may have been accessible to the cyber criminals during the cyberattack include:
- Usernames and passwords for residential and commercial water bill accounts
- Cemetery records
- Names and health insurance identification numbers for persons transported by Lafayette Fire Department ambulance prior to January 1, 2018
- Usernames and passwords for Bob L. Burger Recreation Center online user registration accounts
- Usernames and passwords for online user registration accounts at the Indian Peaks Golf Course
- Current and former City of Lafayette employees’ personal information, including Social Security Numbers, driver’s license or identification card numbers, and health insurance identification numbers
- Liquor and marijuana licensee applications containing applicants’ Social Security Numbers and driver’s license or identification card numbers
- Name and driver’s license or identification card numbers on traffic citations or other offenses, or on police reports or municipal court records.
What Are We Doing?
Mutual aid from neighboring jurisdictions was brought onsite to assist, and a cybersecurity analyst was contracted to provide forensic investigation and recovery. Additional resources were deployed from the Boulder Office of Emergency Management and the State Office of Information Technology. The City assisted local, state, and federal law enforcement agencies in an extensive cyber investigation. System servers and computers are currently being cleaned and rebuilt. Once complete, data will be restored to the system and all operations will resume. No permanent damage to hardware has been identified.
The City takes the security and safety of our residents’ and customers’ data very seriously. While there is no way to eliminate the risk of these types of attacks, the City is taking steps to install crypto-safe backups, deploy additional cybersecurity systems, and implement regular vulnerability assessments to prevent future data threats and safeguard personal information.
What You Can Do?
To protect yourself from the possibility of identity theft, we recommend reviewing banking and credit card statements and report any suspicious activity to relevant financial institutions. Individuals can place a fraud alert or security freeze on credit reports, free of charge, by contacting any or all of the consumer reporting agencies or the FTC listed below.
[….]
For More Information
To inquire about the potential security breach, and for more information, please call 303-661-1250 weekdays between the hours of 9am and 4pm or visit www.cityoflafayette.com/CyberRecovery.