Tucson data breach puts 123,500 individuals’ information at risk

The city of Tucson has reported a data breach that put more than 123,500 individuals’ personal information at risk for fraudulent use.

The potentially stolen data includes individuals’ names, Social Security numbers, driver’s license or state identification numbers and passport numbers, the city says.

Tucson has sent letters to all those whose data was left vulnerable in the breach and offered a year’s worth of credit monitoring services to help detect identity fraud and other harmful uses of personal information.

According to Principal Assistant City Attorney Roi Lusk, the city detected suspicious activity May 29 when someone hacked into a user’s account and may have copied data from the city’s network.

The city shut down its website and online services for two days after discovering the activity “to make sure that no additional information can be taken or any additional harm can be done,” Lusk said.

The city brought on forensic specialists to examine the nature of the breach in an investigation that lasted five weeks and revealed the sensitive nature of the data potentially copied from the city’s network and those whose information could have been leaked. Notices were mailed to affected individuals Sept. 29.

There is no indication the information leaked has been used fraudulently, according to Lusk, based on scans of the dark web in conjunction with forensic specialists and state and federal partners. For the majority of those notified, their information was left vulnerable in the breach, “we can’t determine for certain that information even left the network,” Lusk said.

Those the city notified their personal information was left vulnerable include current and former city employees, licensees of the city and even those who haven’t done business in the city due to a verification process the Department of Revenue conducts to ensure people aren’t operating businesses in cities where they don’t pay taxes, according to Lusk.

According to Jim Van Dyke, the senior vice president of innovation at Sontiq, an identity security company, municipal data breaches are relatively common, but the nature of Tucson’s data leak is “pretty bad” due to the three government identifiers that were potentially leaked.

Back to homepage

Subscriber Login

Keep reading with a digital access subscription.

Subscribe now

The combination of leaked Social Security, driver’s license and passport numbers increase an individual’s likelihood of new credit or loan accounts being fraudulently taken out in an individual’s name. Another risk posed by the city’s data breach is legal evasion, where someone can attempt to steal another’s identity with the intent to commit unlawful activity and evade detection, according to Van Dyke.

“This is a particular breach in which people need to take active steps to protect themselves,” he said. Breached individuals “definitely should not ignore it, and if they have that feeling of helplessness, realize that that’s common, and yet, they don’t want to let themselves get into a state of inertia. … It’s a good opportunity just to go back through some standard procedures. And in this case, walk or freeze your credit, notify law enforcement and set fraud alerts on your credit report.”

Van Dyke said everyone who received a notice from the city should take advantage of the free credit monitoring services.

To increase the city’s data security efforts, Lusk said Tucson is determining how the city can better protect user information in the future. The city has hired third-party forensic specialists to monitor more than 6,000 city servers, laptops and PCs used to conduct city business while enhancing monitoring systems that alert staff to security breaches.

“The difficulty is these attacks happen all day, every day. For the most part, our IT department does a fantastic job of keeping us safe and keeping that data safe. But of course, it only takes one failure of any part of that system to cause some issues,” Lusk said. “We’re evolving all the departments, and we’re evolving leadership all the way down to the individual city employee to make sure that this kind of thing doesn’t happen.”

The data breach occurred after the former head of Tucson’s IT department Colin Boyce resigned. Lusk said interim directors took charge of managing the data breach, and new Chief Information Officer Christopher Mazzarella came on board early to aid in the efforts.

The City Council approved Mazzarella’s hiring as the head of the city’s IT efforts on Oct. 5. He previously led IT strategy development for Raytheon Missiles and Defense.