On July 27, 2020, a ransomware cyberattack on the City’s computer system disabled network services resulting in disruptions to phone service, email, and online payment and reservation systems. The City’s system was shut down and disconnected that morning, and any access the cyber criminals had was cut off at that time. We do not believe personal credit or debit card information was compromised because the City uses external PCI-certified payment gateways, which were not accessible or affected in the cyberattack. There is no evidence to suggest personal data was compromised, but out of an abundance of caution, residents and employees are advised to be vigilant to monitor accounts for suspicious activity.
What Information Was Involved?
Personal information the cyber criminals may have had access to includes first and last name, driver’s license or identification card number, medical information, health insurance identification number, and username and password or log-in credentials to online accounts. It is unknown whether the cyber criminals copied any information from the City’s network. Specific examples of personal information that may have been accessible to the cyber criminals during the cyberattack include:
- Usernames and passwords for residential and commercial water bill accounts
- Cemetery records
- Names and health insurance identification numbers for persons transported by Lafayette Fire Department ambulance prior to January 1, 2018
- Usernames and passwords for Bob L. Burger Recreation Center online user registration accounts
- Usernames and passwords for online user registration accounts at the Indian Peaks Golf Course
- Current and former City of Lafayette employees’ personal information, including Social Security Numbers, driver’s license or identification card numbers, and health insurance identification numbers
- Liquor and marijuana licensee applications containing applicants’ Social Security Numbers and driver's license or identification card numbers
- Name and driver’s license or identification card numbers on traffic citations or other offenses, or on police reports or municipal court records
What Are We Doing?
Mutual aid from neighboring jurisdictions was brought onsite to assist, and a cybersecurity analyst was contracted to provide forensic investigation and recovery. Additional resources were deployed from the Boulder Office of Emergency Management and the State Office of Information Technology. The City assisted local, state, and federal law enforcement agencies in an extensive cyber investigation. System servers and computers are currently being cleaned and rebuilt. Once complete, data will be restored to the system and all operations will resume. No permanent damage to hardware has been identified.
The City takes the security and safety of our residents’ and customers’ data very seriously. While there is no way to eliminate the risk of these types of attacks, the City is taking steps to install crypto-safe backups, deploy additional cybersecurity systems, and implement regular vulnerability assessments to prevent future data threats and safeguard personal information.
What Can You Do?
To protect yourself from the possibility of identity theft, we recommend reviewing banking and credit card statements and report any suspicious activity to relevant financial institutions. Individuals can place a fraud alert or security freeze on credit reports, free of charge, by contacting any or all of the consumer reporting agencies or the FTC listed below.
Equifax Experian TransUnion LLC Federal Trade Commission
P.O. Box 740241 P.O. Box 9554 P. O. Box 2000 600 Pennsylvania Ave. NW
Atlanta, GA 30374 Allen, TX 75013 Chester, A 19022 Washington, DC 20580
800/685-1111 888/397-3742 88/909-8872 877-IDTHEFT (438-4338)
www.equifax.com www.experian.com www.transunion.com www.ftc.gov/idtheft/
For More Information
To inquire about the potential security breach, and for more information, please call 303-661-1250 weekdays between the hours of 9am and 4pm or visit www.cityoflafayette.com/CyberRecovery.