Cyber Incident Victim: Lampasas County

On January 9, 2025, Lampasas County, Texas, experienced a data security breach impacting 3,263 individuals, including one Maine resident. The incident remained undetected until February 27, 2025, when county officials discovered unauthorized access to personal information. The compromised data included names combined with other personal identifiers, though the specific nature of these additional identifiers and the exact method of breach were classified under the "Other" category in regulatory filings. As a government entity operating from 501 E. 4th Street, Suite 103 in Lampasas, the county engaged Constangy, Brooks, Smith & Prophete LLP attorney Lindsay Nickle to manage breach notifications and regulatory compliance. The 49-day gap between breach occurrence and discovery indicated delayed detection mechanisms, though no evidence suggested public disclosure of intrusion methods or threat actor attribution.

Lampasas County initiated written notifications to affected individuals on April 23, 2025—55 days post-discovery and 104 days after the breach—providing Maine's Attorney General with a copy titled "Lampasas_County_-_Regulatory_Notification_-_ME(12797821.2).pdf." The county offered all victims 12 months of identity protection services through IDX by ZeroFox, including credit monitoring, dark web surveillance, and a $1 million insurance reimbursement policy. No prior breaches within the preceding 12 months were reported. The limited Maine resident impact (one individual) exempted the county from mandatory consumer reporting agency notifications under Maine's threshold requirements. Attorney Nickle served as the designated contact for regulatory communications, with her firm coordinating breach response through the provided telephone number (806-535-0274) and email address ([email protected]). No technical details regarding containment procedures, forensic investigations, or system remediation efforts were disclosed in the notification documentation.