City of Tucson, Arizona Discloses Data Breach
In mid-October of 2022, the city of Tucson, Arizona announced that it had experienced a data breach involving the personal information of more than 125,000 individuals. The attack took place between May 17th – 31st, 2022, with the full gamut of the attack realized on August 12th, 2022. Data types that may have been compromised in the attack include personal names, Social Security numbers (SSN), driver’s license numbers, and passport numbers. While the city is working under the worst-case scenario, city officials are still uncertain how much data the threat actors managed to steal. Those affected included current and former city employees as well as anyone who had applied for a business license with the city.
|IDENTIFY INDICATORS OF COMPROMISE (IOC)|
The city was made aware of suspicious activity involving the account of an authorized user. It is believed that a threat actor compromised the user’s account. On August 4th, the city was informed that some files may have been copied and exfiltrated from the city’s network.
|CONTAINMENT (If IoCs are identified)|
Immediately upon discovering the compromise of a user account, Tucson’s internal IT team shut down the city’s website for two days. An investigation began shortly thereafter involving third party forensic specialists to determine the means and scope of the attack. A separate review was conducted in August to assess the level of compromise to its stored data. Notification letters were sent out in September to all individuals whose data may have been exposed in the attack. The city is providing free credit monitoring services to those affected for one year. Everyone notified has been encouraged to stay vigilant in their own credit monitoring efforts. Since the confirmation of the attack, the city has begun reviewing its existing cybersecurity policies and procedures. Leaders are also evaluating additional measures and safeguards to prevent a similar attack in the future. This includes contracting with an outside cybersecurity team to monitor more than 6,000 of city servers and PCs as part of an extensive monitoring system. Tucson is also providing cybersecurity training to its employees to improve their cyber hygiene.
The compromised user account used in the attack was most likely the result of a credential stuffing attack. External threat actors launch such attacks on millions of user accounts every day. In 2020 there were more than 193 billion credential stuffing attacks detected. While users are encouraged to change their password periodically and not use the same password for all accounts, password rotation provides little protection against such attacks. No organization today should be relying on password protection as their only authentication method. Consider implementing these security controls.