News

City News

Posted on: August 24, 2020

Notice of security breach for City of Lafayette residents, employees, and customers

Notice of Security Breach

NOTICE OF SECURITY BREACH – August 24, 2020
This public notice is intended to advise residents, employees, and customers of an incident involving a cyberattack on the City of Lafayette’s computer network system, and possible security breach of personal information stored on the City’s system. Although we are unaware of any actual acquisition or misuse of personal information, we are providing notice to potentially affected individuals about the incident and resources available to protect individuals against possible identity theft or fraud.

What Happened?
On July 27, 2020, a ransomware cyberattack on the City’s computer system disabled network services resulting in disruptions to phone service, email, and online payment and reservation systems. The City’s system was shut down and disconnected that morning, and any access the cyber criminals had was cut off at that time. We do not believe personal credit or debit card information was compromised because the City uses external PCI-certified payment gateways, which were not accessible or affected in the cyberattack. There is no evidence to suggest personal data was compromised, but out of an abundance of caution, residents and employees are advised to be vigilant to monitor accounts for suspicious activity. 

What Information Was Involved?
Personal information the cyber criminals may have had access to includes first and last name, driver’s license or identification card number, medical information, health insurance identification number, and username and password or log-in credentials to online accounts. It is unknown whether the cyber criminals copied any information from the City’s network.  Specific examples of personal information that may have been accessible to the cyber criminals during the cyberattack include:

  • Usernames and passwords for residential and commercial water bill accounts
  • Cemetery records
  • Names and health insurance identification numbers for persons transported by Lafayette Fire Department ambulance prior to January 1, 2018
  • Usernames and passwords for Bob L. Burger Recreation Center online user registration accounts
  • Usernames and passwords for online user registration accounts at the Indian Peaks Golf Course
  • Current and former City of Lafayette employees’ personal information, including Social Security Numbers, driver’s license or identification card numbers, and health insurance identification numbers
  • Liquor and marijuana licensee applications containing applicants’ Social Security Numbers and driver’s license or identification card numbers
  • Name and driver’s license or identification card numbers on traffic citations or other offenses, or on police reports or municipal court records

What Are We Doing?
Mutual aid from neighboring jurisdictions was brought onsite to assist, and a cybersecurity analyst was contracted to provide forensic investigation and recovery. Additional resources were deployed from the Boulder Office of Emergency Management and the State Office of Information Technology. The City assisted local, state, and federal law enforcement agencies in an extensive cyber investigation.   System servers and computers are currently being cleaned and rebuilt. Once complete, data will be restored to the system and all operations will resume. No permanent damage to hardware has been identified. 

The City takes the security and safety of our residents’ and customers’ data very seriously.   While there is no way to eliminate the risk of these types of attacks, the City is taking steps to install crypto-safe backups, deploy additional cybersecurity systems, and implement regular vulnerability assessments to prevent future data threats and safeguard personal information.

What Can You Do?
To protect yourself from the possibility of identity theft, we recommend reviewing banking and credit card statements and report any suspicious activity to relevant financial institutions. Individuals can place a fraud alert or security freeze on credit reports, free of charge, by contacting any or all of the consumer reporting agencies or the FTC listed below. 

Equifax                            Experian                          TransUnion LLC              Federal Trade Commission/Consumer Response 

P.O. Box 740241              P.O. Box 9554                  P. O. Box 2000                  600 Pennsylvania Ave. NW

Atlanta, GA 30374           Allen, TX 75013                Chester, A 19022              Washington, DC 20580

800/685-1111                  888/397-3742                  888/909-8872                     877-IDTHEFT (438-4338)

www.equifax.com          www.experian.com        www.transunion.com         www.ftc.gov/idtheft/ 

For More Information
To inquire about the potential security breach, and for more information, please call 303-661-1250 weekdays between the hours of 9am and 4pm or visit www.cityoflafayette.com/CyberRecovery.

More info at: cityoflafayette.com/CyberRecovery
Facebook Twitter Email

Other News in City News

Utility Billing Information

Utility billing update September 2020

Posted on: September 3, 2020
Ride Free Lafayette

Ride Free Lafayette

Posted on: July 22, 2020
bikeride_forweb.jpg

Bike webinars on Sept. 23 and Oct. 14

Posted on: September 14, 2020
Lafayette Connection

September Lafayette Connection newsletter

Posted on: September 10, 2020

Colorado Statewide mask order

Posted on: July 16, 2020
Lafayette Listens video screenshot

Check out Lafayette-Listens.com

Posted on: October 18, 2019

Equal protection under the law

Posted on: February 24, 2017