DataBreaches.net

DataBreaches.net

The Office of Inadequate Security

Menu
  • Breach Laws
  • About
  • Donate
  • Contact
  • Privacy
  • Transparency Reports
Menu

The City of Tulsa’s costly screw-up

Posted on October 2, 2012October 3, 2012 by Dissent

The saga of the City of Tulsa hack-that-wasn’t-a-hack  fascinates me and would be funny if it wasn’t such a costly foul-up. While the city’s IT manager is on paid administrative leave, Ian Silver of Fox23 provides some additional details , most notably:

  • To their credit, the city had hired SecurityMetrics 18 months ago to periodically check their security for holes. The “hack” was a result of SecurityMetrics doing their job and finding a hole in the process.
  • The city checked the IP address for the intruder but thought it might be a spammer. It appears they never checked with SecurityMetrics.  I contacted SecurityMetrics, who provided the following statement:

    SecurityMetrics conducts regular vulnerability scans for tens of thousands of clients each month and uses an identical process to notify all account managers of scan results following each scan completion. In addition, each client has 24/7 online access to their SecurityMetrics account which includes times of past and future scans, and individual scan vulnerabilities. Although there was no breach, we applaud the City of Tulsa for implementing a punctual and accurate response process.

    So it seems the city could have easily checked its account online to see if there had been a scan at the time of the “intrusion,” but didn’t. Had they done that, it could have spared them a lot of time, money, and grief.

  • In addition to paying SecurityMetrics, the city wound up paying $20,000 in mailings to 90,000 people whom they thought had been victims of a hack. They also paid $25,000 to True Digital Security to investigate what they thought was a hack. Why they didn’t ask SecurityMetrics to investigate the hack is not explained. Had they done that, they might have also averted the costly mailing and other fees.
  • The city is hiring yet another firm to help them restructure their IT department so this type of thing doesn’t happen again.

It’s good that they detected a breach, and I don’t want to dismiss the importance of that.  But the rest of this was a bit of a fiasco and re-structuring and improving communications may help avert a similar situation in the future.  But  what are other lessons to be learned here?

Related Posts:

  • Tulsa IT Director On Administrative Leave After…
  • City Of Tulsa Systems Hacked
  • Potential Tulsa website hacker victims notified…
  • Tulsa Says Network Hack Gained Some Social Security Numbers
  • OH: City says it wasn't hacked by group

Post navigation

← Ca: Student hacks into school board database
NC: Laptops stolen from Robeson elections board contained personal info of 71,000 voters →

Sponsored or Paid Posts

This site doesn’t accept sponsored posts and doesn’t respond to requests about them.

Have a News Tip?

Email:

Breaches[at]Protonmail.ch
Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Telegram: @DissentDoe

Browse by News Section

Latest Posts

  • If you’re in Rock County, Wisconsin, do NOT read this post. Absolutely do not read this post.
  • PA: Great Valley School District Falls Victim to Ransomware Attack
  • MT: Personal information of 900 Butte School District employees compromised in cyberattack
  • Pacific Cataract and Laser Institute confirms cyberattack
  • OAIC alleges Australian Clinical Labs hack resulted from lacklustre security measures
  • Proliance Surgeons notifying 437,392 patients after ransomware attack earlier this year
  • After $50 Million Breach, KyberSwap Faces Hacker’s Shocking Demands
  • Hendersonville city employees target of cybersecurity breach

Please Donate

If you can, please donate XMR to our Monero wallet because the entities whose breaches we expose are definitely not supporting our work and are generally trying to chill our speech!

Donate- Scan QR Code   Donate!

Social Media

Find me on Infosec.Exchange.

I am also on Telegram @DissentDoe.

RSS

Grab the RSS Feed

Copyright

© 2009 – 2023, DataBreaches.net and DataBreaches LLC. All rights reserved.

HIGH PRAISE, INDEED!

“You translate “Nerd” into understandable “English” — Victor Gevers of GDI Foundation, talking about DataBreaches.net

©2023 DataBreaches.net