Cyber Incident Victim: City of Nassau Bay
Date:
May 2023
Location:
United States of America
Summary
The City of Nassau Bay experienced an external system breach resulting in the compromise of personal data for thousands of individuals. The incident involved the acquisition of names combined with sensitive financial account information, including credit or debit card numbers along with their security codes and PINs. Legal counsel for the entity reported that a single Maine resident was among those affected. Written notification to consumers was provided following the discovery of the intrusion.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 23, 2023, the City of Nassau Bay, Texas, experienced an external system breach. The incident was characterized as a hacking event. The breach was not discovered until October 16, 2023, nearly five months after the initial intrusion occurred. The delay in discovery indicates a period during which unauthorized access to the city's systems went undetected. The investigation into the breach determined that the attacker or attackers successfully acquired sensitive personal information belonging to individuals.
The compromised information included the name or another personal identifier of each affected individual in combination with their financial account number or credit/debit card number. Furthermore, this financial data was compromised in combination with the security code, access code, password, or PIN for the account. This combination of data elements significantly increases the severity of the breach, as it provides the information necessary for fraudulent transactions and identity theft. The total number of persons affected by this data security incident was 8,839. This figure includes residents from various jurisdictions, with only one of the affected individuals being a resident of the state of Maine.
The City of Nassau Bay, located at 1800 Space Park Dr., Suite 200, with a zip code of 77058, is categorized as an Other Government Entity. The breach notification was submitted to the Maine Attorney General's office by Blair Dawson, a Member acting as Legal Counsel for the city. The contact information provided for the submission included a telephone number, 312-642-6131, and an email address, [email protected]. This submission was part of the entity's compliance with data breach notification laws following the discovery of the incident.
The method of consumer notification chosen by the city was written notice. These written notifications to the affected consumers were dispatched on November 22, 2023. This date is more than a month after the breach was discovered on October 16, and over six months after the breach initially occurred on May 23. The notification process included providing a copy of the notice sent to affected Maine residents, which was filed under the name `Notice_B_NoCM_Source_V1_32877500v1.pdf`. The city confirmed that it had not experienced any previous breach notifications within the 12 months preceding this incident.
A significant aspect of the city's response was the decision not to offer identity theft protection services to the individuals whose highly sensitive financial information was acquired in the breach. This decision meant that affected persons were not provided with credit monitoring, identity restoration services, or other similar protections often offered in the wake of such significant data compromise. The breach exposed a substantial number of people to potential financial fraud, and the lack of offered protection services placed the responsibility of monitoring accounts and credit reports solely on the individuals impacted.
The impacts of this incident are directly tied to the type of information acquired by the attackers. With names, financial account numbers, and associated security codes or PINs in their possession, the threat actors had the necessary components to commit various forms of financial crime. The affected individuals faced an immediate and elevated risk of unauthorized withdrawals from their accounts, fraudulent credit card charges, and other malicious activities designed to steal funds or assume their identity for financial gain. The single affected Maine resident was subject to the same risks as the other 8,838 individuals.
The chronology of events began with the breach itself on May 23, 2023. The systems of the City of Nassau Bay were compromised on this date through an external hacking incident. The specific techniques used by the attackers, the attack vector, and the exact systems targeted were not detailed in the public notification. The breach remained active and undetected within the city's network environment for a prolonged period, from May until its discovery in mid-October. The discovery on October 16, 2023, initiated the incident response process, which included an investigation to determine the scope of the intrusion and the specific data elements that were accessed and acquired.
The investigation concluded that personal and financial information was exfiltrated. The city then began the process of organizing its response, which included preparing and sending breach notification letters to all 8,839 affected persons. These letters were mailed out on November 22, 2023. The notification to the Maine Attorney General’s office, which is a public record, serves as the primary source of factual information regarding the incident's scope, timing, and the nature of the compromised data. The response actions documented were limited to the investigation and the consumer notification process, with no mention of specific containment or eradication steps taken to secure the systems against future attacks. The consequences of the breach are the potential financial harm to thousands of individuals and the operational and reputational impact on the City of Nassau Bay government.