Cyber Incident Victim: City of Collegedale

On or around April 9, 2023, the computer systems of the City of Collegedale, Tennessee, were compromised in a cybersecurity incident. The attack was attributed to the BlackByte ransomware operation, a known group that exfiltrates data from public and private organizations to demand ransom payments. The group’s method of operation typically involves first stealing a copy of data from the target network before attempting to encrypt the systems to lock them, thereby creating a dual threat of data exposure and operational disruption. A folder containing what appeared to be over 4,000 documents from the city's internal systems was subsequently posted on the dark web, an action that was observed on either Sunday, April 9, or Monday, April 10.

The data exfiltrated and later leaked was extensive and varied in sensitivity. The documents included personal information pertaining to city employees and individuals who were crime victims. Financial and bank information, human resources documents, and internal budget documents were also part of the leak. Furthermore, a significant volume of police department records was compromised, including training and certification documents and copies of police reports. While many police reports would typically be subject to public records laws in Tennessee, the leaked data set also contained highly sensitive personal information that is protected from public disclosure.

The city’s public response came on Tuesday, April 11, through a statement from spokesperson Bridgett Raper. The statement confirmed that safety measures were in place which allowed the city to quickly recover its data and restore all affected systems. The city’s IT provider was engaged in the recovery process, with ongoing work to assure all data was accurately restored following the incident. The statement did not detail the specific nature of the initial intrusion, the exact systems affected, or whether any ransom was demanded or paid. The city spokesperson did not respond to additional follow-up questions posed on Wednesday, April 12, leaving several aspects of the incident unclear, including the full operational impact on municipal services.

The immediate consequence of the incident was the public exposure of sensitive data on the dark web. The potential impacts of such a leak are significant, given the nature of the information involved. For individuals, the exposure of personal identifying information creates a risk of identity theft and fraud. For the city government and its police department, the compromise of confidential internal documents, financial data, and sensitive law enforcement records represents a serious breach of operational security and public trust. The incident also highlighted a broader trend of increasing frequency in such attacks against local governments and police departments, entities that hold exceptionally sensitive data critical to public safety and administration.

The city’s response actions focused primarily on recovery and restoration rather than detailing any containment steps taken during the initial detection of the attack. The statement emphasized the rapid recovery of data and the full restoration of computer systems, suggesting that pre-existing safety measures, which were not specified, were effective in mitigating a prolonged operational outage. This rapid recovery was particularly crucial for the police department, which relies heavily on computer systems for core functions such as checking license plates and warrants, entering reports, and facilitating communication. An encryption attack that successfully shuts down these systems poses a far greater immediate operational risk, potentially hindering law enforcement activities.

While the city worked to restore its systems, the fact that data was already stolen and published introduced a separate, lasting challenge. As noted by threat analysts, even if a ransom is paid to such groups, there is no guarantee the data will be permanently removed from the dark web, with instances of data reappearing after initially being taken down. The City of Collegedale now faces the ongoing task of assessing the complete scope of the data breach and fulfilling its legal obligations under Tennessee state law. Tennessee Code section 47-18-2107 requires organizations holding personal identifying information to notify individuals affected by a breach within 45 days of its discovery, unless such notification would endanger a law enforcement investigation.

The incident drew parallels to other recent cybersecurity events affecting public entities, underscoring the widespread nature of the threat. For example, in Oakland, California, a police union filed a lawsuit against the city in March 2023 after a data leak exposed personal information of city employees, claiming insufficient protective measures were in place despite prior warnings. The Collegedale incident serves as another example of the vulnerabilities within local government infrastructure and the attractive target they present to ransomware groups. These groups are not typically motivated by a desire to harm a specific entity but rather seek out any systems with vulnerabilities or from which they believe data can be profitably sold or leveraged for ransom. The attack on Collegedale was therefore not considered to be a targeted act but part of a larger pattern of opportunistic cybercrime against public sector organizations. The full extent of the incident's impact, including whether any law enforcement investigations were compromised as a result of the data exposure, was not publicly detailed in the immediate aftermath.