Cyber Incident Victim: Worcester County

In November 2020, Worcester County, Maryland, experienced a cybersecurity incident involving unauthorized access to a county government email account. The breach occurred between November 10 and November 20, 2020, and was discovered during a forensic investigation into a separate phishing incident. Cybersecurity professionals conducting the investigation identified the compromise, which exposed limited personal information belonging to approximately 3,000 individuals. The affected individuals included current employees and retirees associated with Worcester County government operations and the Board of Education. The forensic analysis confirmed the breach stemmed from the earlier phishing incident, though specific technical details about the attack vector or perpetrator were not publicly disclosed. The investigation established the timeframe of unauthorized access but did not reveal whether the attackers exfiltrated data beyond the compromised email environment.

Worcester County authorities publicly addressed the breach following the forensic team’s findings, issuing an official statement through their website. The disclosure confirmed the exposure of personal information but emphasized the data involved was "limited," without specifying exact data elements such as names, Social Security numbers, or financial details. No evidence of identity theft or fraudulent misuse of the exposed information was reported at the time of the county’s announcement. The incident prompted coordination between county government and Board of Education entities to notify affected individuals, though the notification timeline relative to the 2020 discovery date remained unclear. Public reporting of the breach occurred in April 2022 through media outlets, reflecting the gap between incident discovery and external disclosure. The county’s response focused on transparency regarding the breach’s scope while maintaining operational continuity for government services.