Cyber Incident Victim: Syracuse Police Department
Date:
Jan 2025
Location:
United States of America
Summary
The Syracuse Police Department discovered unauthorized access to its digital files and shut down its computer system to contain the incident. After a forensic investigation, officials determined that files dating back several decades containing personal information, including Social Security numbers, had been accessed without authorization. Notification letters were sent to potentially affected individuals through a cybersecurity firm, offering free credit monitoring and identity protection services. The city estimated that as many as fifteen thousand people were named in the compromised files and incurred a response cost of two hundred fifty thousand dollars, which was covered by its cybersecurity insurance deductible. Officials stated that no confirmed misuse of the data had been identified at the time of the notifications.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Syracuse Police Department discovered a security incident involving its information technology system on January 11, 2025, prompting officials to shut down the computer network to prevent further spread. It took several weeks for the system to be fully restored after the shutdown. Following the incident, the city engaged cybersecurity and forensic specialists to investigate suspicious activity on the network, which they determined involved certain digital files being accessed or acquired without authorization between January 10 and January 12, 2025. The investigation focused on identifying the individuals named in those files and the specific information contained within them.
After completing its analysis, the city began issuing notification letters in late March 2026 through the cybersecurity firm IDX. The letters informed recipients that their personal information, including Social Security numbers, could have been compromised in the breach. Recipients were offered 12 months of free IDX credit monitoring and identity protection services. A sample letter obtained by syracuse.com on March 27, 2026, explicitly stated that the recipient’s Social Security number might have been exposed. The notifications were sent after the investigation concluded, and the city emphasized that the response was conducted out of an abundance of caution.
City officials reported that the total cost to taxpayers for the breach response amounted to $250,000, which represents the deductible under the municipality’s cybersecurity insurance policy; the insurer covers all expenses beyond that amount, including mailing costs and credit monitoring for those who enroll. Mayor Sharon Owens’ administration briefed the Syracuse Common Council after the letters were distributed, and sources familiar with that briefing indicated that as many as 15,000 individuals were named in the compromised files, which date back to the 1980s. The city stated that its actions complied with applicable state and federal data‑breach laws and noted that, to date, no individual’s information had been confirmed as exposed.
In the broader context, data‑breach notices have become increasingly common due to disclosure laws and a high volume of incidents; in 2025 alone, 278.9 million victim notices were issued across the United States, a figure that was 79 percent lower than in 2024. The Identity Theft Resource Center attributed this decline to cyber attackers shifting away from massive, indiscriminate breaches toward more frequent, targeted attacks on high‑value data sources. This trend underscores the evolving threat landscape that prompted the Syracuse Police Department’s response.