Cyber Incident Victim: City of Hailey

On January 30, 2025, the City of Hailey detected suspicious activity within an employee email account, prompting an immediate investigation. The City engaged legal counsel and a nationally recognized cybersecurity and digital forensics firm to assist in determining the nature and scope of the incident. By February 14, 2025, the investigation confirmed a breach of the email account’s security system, meeting the definition of a security incident under Idaho Code § 28-51-104(2). The forensic review revealed that unauthorized access compromised sensitive personal information of Idaho residents, including names, Social Security numbers, and driver’s license numbers. The City’s investigation remained ongoing to identify all affected individuals and the full extent of data exposed within the email account. No evidence suggested broader system compromise beyond the targeted email account at the time of the notification.

The City formally notified the Idaho Attorney General’s Consumer Protection Division of the breach on February 14, 2025, fulfilling statutory obligations under state law. Parallel notifications were issued to the Idaho Chief Information Security Officer and the Office of Risk Management to coordinate incident response and oversight. The City emphasized its commitment to providing updates as the forensic review progressed, though no additional details regarding attacker methods, containment measures, or resident notifications were disclosed publicly at this stage. Impacted data types confirmed to date indicated significant risk of identity theft or fraud for affected individuals. The incident involved no reported disruptions to municipal services or systems outside the compromised email account.