Long Beach officials said Wednesday that some city data was stolen during a cybersecurity breach it detected earlier this month, but, officials said, it could be weeks or months before a clear picture emerges of what exactly was taken.
The city said it does not currently know what type of data was taken or how much. It could potentially include sensitive information, considering city systems hold things like personal employee data, confidential information submitted by vendors, and payment information of residents and others who have used credit cards to pay for city services.
“The city is working with third-party cybersecurity professionals to determine the nature and scope of data that was taken,” the city said in a statement. “Our primary objective of the investigation is to determine whether individuals’ personal information was accessed and/or acquired as a result of the incident.”
In the meantime, the city advised residents about ways they can protect themselves if they’re concerned about their personal data being compromised, including monitoring bank accounts, updating passwords, enabling multi-factor authentication, and updating security questions and passwords “not only for the affected account but also for any others with similar credentials.”
Under state law, Long Beach will have to notify anyone it determines had their personal data compromised or it reasonably believes had their data compromised.
But, the city said, identifying whether specific individuals had their sensitive information accessed is “incredibly detailed and will likely take many weeks to complete.”
The city said it would notify by mail anyone affected by the breach “as soon as reasonably possible.”
If anyone’s social security number was part of the data that was acquired, the city said it would provide credit monitoring services to those individuals, according to the release.
The city will also have to report the breach to the California Attorney General’s office, which has a portal that tracks cyber attacks.
“We deeply understand and regret the angst caused by the cybersecurity incidents on our residents, customers and employees and know how concerned our stakeholders are about the possibility of personal information being accessed,” City Manager Tom Modica said in a statement. “We as a City are fully committed to following established best practices for identifying affected individuals and providing support during this difficult time.”
The city is still working to get all of its systems back online after learning it was the victim of a cyberattack on Nov. 14. Officials haven’t gone into detail about how the city fell victim to or discovered the breach, but in response to the intrusion, Long Beach’s technology teams proactively took down its network so it could “disrupt and expel any unauthorized parties from the City’s systems.”
Since then, a third-party cybersecurity team and city staff have worked to put systems back online and work to ensure a breach doesn’t happen again.
That includes requiring all city network users to reset their passwords, implementing stricter password requirements and using a multi-factor authentication process for its users.
Some digital library services as well as the ability to make payments for utility bills remain offline, but city officials hope that utility bill payment processing could be back online by next week.
The Utilities Department has advised customers that it won’t be assessing late fees or issuing shutoffs due to the inability to pay over the past few weeks when its systems were down.
The city had spent millions on cybersecurity efforts over the past few years including buying cybersecurity insurance that will help cover some of the costs associated with responding to the breach. That insurance paid for credit monitoring, legal costs and potentially a ransom — something the city has declined to say if it or its insurance provider paid.
In the most recent budget adopted by the City Council in October, the city dedicated $600,000 to bolster its ability to respond to cybersecurity events and to improve the overall security of the city’s systems. In past years, the city has hired cybersecurity professionals and implemented citywide cybersecurity training, according to budget documents.
Editor’s note: This story was updated to clarify that examples of what the stolen data could include were not provided by the city.