Cyber Incident Victim: City of Brazoria
Date:
Feb 2023
Location:
United States of America
Summary
The City of Brazoria experienced a business email compromise incident spanning several days, compromising the personal information of over 3,500 individuals including 11 Maine residents. Discovered months after the incident, the breach exposed names combined with driver’s license or state identification numbers. Affected individuals received written notification and were offered 12 months of credit monitoring and identity theft protection services through Experian IdentityWorks. The compromised email accounts belonged to the municipal government, leading to unauthorized access to sensitive personal data. This event underscores vulnerabilities in business email systems and highlights consequential risks of delayed breach detection processes.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The City of Brazoria, Texas, experienced a data breach resulting from a Business Email Compromise (BEC) incident that spanned three days between February 20 and February 23, 2023. The breach was not detected until August 21, 2023, approximately six months after the unauthorized activity occurred. Attackers gained access to systems containing sensitive personal information during the compromise period. Exposed data included individuals’ names paired with driver’s license numbers or non-driver identification card numbers, creating heightened risks of identity theft and financial fraud. A total of 3,505 individuals were affected by the breach, including 11 residents of Maine. The delayed discovery timeline suggests the compromise may have involved sophisticated or persistent threat actor tactics typical of BEC campaigns, though the specific intrusion methods and attacker origins were not publicly disclosed. Municipal operations were disrupted as officials worked to assess the breach’s scope and secure compromised accounts.
The City of Brazoria provided written notification to all affected individuals on October 20, 2023, over seven months after the breach occurred and two months following its discovery. As part of its response, the city offered impacted persons complimentary 12-month subscriptions to Experian IdentityWorks credit monitoring services, featuring three-bureau credit surveillance to detect potential misuse of stolen information. Legal counsel Dominic Paluzzi of McDonald Hopkins PLC submitted the breach disclosure to Maine authorities on the city’s behalf, fulfilling cross-jurisdictional notification requirements given the involvement of Maine residents. No evidence indicated that consumer reporting agencies received mass notifications, likely reflecting the relatively small number of residents affected in any single state beyond Texas. The municipality did not report any previous breach incidents within the preceding 12-month period prior to this event. Forensic investigations and remediation efforts were conducted to prevent similar future compromises, though technical details regarding system vulnerabilities exploited or containment measures implemented remain undisclosed in public filings.