Cyber Incident Victim: City of Duluth
Date:
Aug 2016
Location:
United States of America
Summary
A phishing attack compromised a city clerk's email account after an employee responded to a fraudulent request, enabling unauthorized access that sent spam emails and potentially exposed sensitive data. The breach risked disclosure of voter registration lists containing names, addresses, phone numbers, and birth dates; business license reports with Social Security and tax ID numbers; and job applicant information including driver’s license details. While no evidence indicated targeted data theft or election system compromise, the city notified affected individuals, provided credit monitoring for those with exposed Social Security numbers, and incurred costs for investigation and notifications. Authorities confirmed no impact on election integrity, and the city enhanced security training without disciplining the involved employee, attributing the incident to typical spam operations rather than systemic hacking.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On August 14, 2016, a Duluth city clerk’s office employee fell victim to a phishing email disguised as a legitimate request for information related to a computer issue. Believing it was an internal communication, the employee responded, inadvertently granting the attacker—later traced to Ghana—access to her email account. The breach remained undetected for eight days until August 22, when the employee recognized the scam and reported it. By then, the compromised account had been used to send approximately 300,000 spam emails. City officials immediately shut down the affected account upon discovery. Subsequent forensic analysis revealed the intruder potentially accessed multiple sensitive documents stored within the email system, including a voter registration list containing 55,184 names, addresses, phone numbers, and birth dates; a business license report with 427 business records including some Social Security and tax ID numbers; four business license applications with driver’s license or passport details; and job applicant information for 14 individuals. Of particular concern were 184 exposed Social Security numbers.
The city notified law enforcement, including the FBI, due to the international origin of the attack. Over 55,000 notification letters were mailed to affected residents, accompanied by a dedicated hotline for inquiries. Credit monitoring services for three years were offered to individuals whose Social Security numbers were exposed. Officials emphasized that voter data—except birth dates—was already publicly accessible, and Minnesota Secretary of State Steve Simon confirmed no evidence of election system compromise or anomalous voter registration activity. St. Louis County Auditor Don Dicklich affirmed county election data remained secure due to encrypted transfers. Total incident costs, including investigations, mailings, and legal fees, were estimated between $35,000 and $50,000. Mayor Emily Larson prioritized pre-election transparency despite timing concerns, citing public right-to-know principles. No disciplinary action was taken against the employee, though the city implemented enhanced security training and protocol reviews. Forensic investigators found no indication that the attacker specifically targeted or exploited the exposed personal data, concluding the primary motive was likely harvesting email addresses for spam distribution.