A data breach earlier this year at City Hall resulted in the unauthorized release of personal information of hundreds of Morgan Hill employees, according to City Manager Christina Turner.
The city hired a private cybersecurity firm to investigate the breach, which city staff learned about in July. Authorities from the Federal Bureau of Investigation contacted city officials to notify them the breach had occurred, Turner said.
The unknown suspect or suspects gained access to the personal information of about 480 former and current full-time and part-time city employees, including the elected city councilmembers, Turner said. Everyone who was employed by the City of Morgan Hill in 2017 was affected by the security incident.
Specifically, each of the impacted employees’ “W-2 Summary” report was accessed. Personal information on such reports typically includes the employee’s wages and salary details, as well as Social Security Number, address and other personal information.
All the impacted current and former city employees have been notified that their information was accessed, Turner added. Each of the victims has been sent a letter notifying them of the breach, as well as offering recommendations on what they can do to protect their identities from being used for fraudulent purposes.
“We’re just making sure we are doing what we can for our teammates,” Turner said. “We have established a toll-free line they can call with any questions, so they can understand how credit monitoring works.”
She encouraged the affected city staff people to reach out to her or City Attorney Don Larkin—who also serves as the city’s risk manager—with any questions.
Turner said city officials do not yet know who is responsible for the breach. The city hired the business law firm McDonald Hopkins, which includes cybersecurity counseling as an area of expertise, to investigate the breach and advise City Hall how to improve data security in the future.
“We take privacy and security of personal information very seriously, so as soon as we found out we engaged (McDonald Hopkins) on what needed to be done, making sure we have the proper security controls in place to avoid these things,” Turner said.
City staff added in a statement: “We remain committed to maintaining the privacy of information entrusted to us and, moving forward, are taking steps to strengthen our security protocols and practices to help prevent similar issues in the future.”