Cyber Incident Victim: Town of Milford

On November 18, 2024, the Town of Milford, Massachusetts, experienced an external system breach resulting from hacking activity. The incident compromised personal information belonging to 2,089 individuals, including four Maine residents. The breach remained undetected until January 14, 2025, when town officials discovered unauthorized access to their systems. Exposed data included names combined with other personal identifiers, though specific data elements beyond this combination were not detailed in the breach notification. The town engaged legal representation through Constangy, Brooks, Smith & Prophete LLP, with attorney David McMillan submitting the formal breach disclosure to regulatory authorities. No evidence suggested the breach stemmed from internal misconduct or physical record theft, as the notification explicitly classified it as an external cyber intrusion.

The Town of Milford initiated written notifications to affected individuals on March 10, 2025, approximately two months after discovering the breach and nearly four months after the intrusion occurred. All impacted parties received offers for identity theft protection services through IDX, including 12 months of credit monitoring, dark web surveillance, a $1,000,000 insurance reimbursement policy, and fully managed identity recovery assistance. No prior breach notifications had been issued by the town within the preceding 12-month period. The delayed discovery timeline between the breach occurrence and identification indicated sustained unauthorized system access. Municipal operations at the 52 Main Street address were disrupted during the investigation, though the notification did not specify downtime duration or restoration procedures. Legal and cybersecurity teams coordinated the response without disclosing whether law enforcement agencies were involved in the investigation.