Cyber Incident Victim: City of Grass Valley
Date:
Apr 2021
Location:
United States of America
Summary
A California municipality experienced a significant data breach affecting all city employees, former employees, spouses, dependents, vendors, individuals with records held by the local police department, and loan applicants through its community development office. Compromised information included Social Security numbers, driver's license details, health insurance data, financial account and payment card information, and passport numbers. The unauthorized data exfiltration occurred over several months before being discovered, with notification letters distributed months later. While the city acknowledged the broad scope of impacted groups, it could not confirm specific individuals' exposure. Credit monitoring and identity theft protection were offered for one year exclusively to those whose Social Security or driver's license numbers were confirmed compromised.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Town of Grass Valley, California, experienced a significant data breach beginning on April 13, 2021, when unauthorized actors gained access to the city’s network and exfiltrated sensitive files over a prolonged period until July 1, 2021. The breach compromised personal information across multiple municipal departments, impacting all city employees, former employees, their spouses, dependents, and vendors. Exposed data included Social Security numbers, driver’s license numbers, and health insurance information. Individuals who had submitted information to the Grass Valley Police Department faced broader exposure, with compromised records containing names, financial account details, payment card information, passport numbers, and additional identifiers. Loan applicants through the Community Development Department were similarly affected. The city did not detect the breach in real-time, only fully comprehending the scope of stolen data by December 2021 after a months-long forensic investigation.
Grass Valley initiated breach notifications on January 7, 2022, informing victims of the incident and offering one year of complimentary credit monitoring and identity theft protection via Experian’s IdentityWorks service—but restricted this offering to individuals whose Social Security numbers or driver’s license numbers were confirmed as exposed. The city acknowledged limitations in verifying specific data impacts for individuals, directing inquiries to a call center that could not perform name-based lookups. Instead, affected parties were instructed to self-identify based on their association with the breached categories (e.g., police records or loan applications) to receive an enrollment code. Located near Sacramento with approximately 13,000 residents, Grass Valley faced operational and reputational challenges due to the breach’s scale and the delayed public disclosure nearly nine months after the initial intrusion. The incident underscored vulnerabilities in municipal data handling and incident response protocols, particularly concerning third-party service dependencies like the Experian partnership for victim remediation.