Cyber Incident Victim: Town of Deerfield
Date:
Mar 2021
Location:
United States of America
Summary
A data breach impacting Deerfield, Michigan exposed personal information of over 8,100 residents after an unauthorized third party accessed systems managed by the town's data storage provider, Springbrook Software. The incident involved potential exposure of driver's license or state identification card numbers, prompting the municipality to offer credit monitoring services. External investigations and notification letter preparations caused significant delays between the provider's initial alert and resident notifications. The town's external counsel inaccurately classified the incident as involving a healthcare organization in regulatory filings, though no health plan data was confirmed to be compromised.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 25, 2021, an unauthorized third party accessed or acquired personal information belonging to residents of Deerfield, Michigan, through a data breach involving Springbrook Software, the town’s data storage provider. Springbrook completed its investigation and notified Deerfield of the incident on May 6, 2021. The breach potentially exposed sensitive data, including driver’s license numbers or Non-Driver Identification Card Numbers, for 8,104 individuals. Deerfield initiated its own detailed investigation process following Springbrook’s notification, which involved engaging external organizations to assess the incident and draft breach notification letters. This internal review delayed public disclosure until August 31, 2021, when the town formally announced the breach after mailing notifications to affected residents. Town Administrator Kayce Warren acknowledged the extended timeline between Springbrook’s May notification and the August announcement as an unavoidable consequence of the investigative process, describing the delay as "unfortunate."
The town offered credit monitoring services to impacted residents as part of its response. Deerfield reported the incident to the Maine Attorney General’s Office on August 26, 2021, five days before the public announcement. External legal counsel from Wilson Elser, representing Deerfield, inaccurately classified the town as a "healthcare organization" in the Maine filing, prompting inquiries from DataBreaches.net about potential health data involvement. No clarification was provided, and no corresponding entry appeared on the U.S. Department of Health and Human Services’ breach portal at the time of reporting. The incident’s scope remained confined to personal identification data, with no confirmed evidence of health information exposure or additional attacker actions beyond initial data access. Deerfield’s reliance on third-party vendors for both data storage and breach response underscored procedural dependencies in its cybersecurity incident management.