(TNS) – More than 900 people had their personal information compromised – potentially including their date of birth, driver’s license and social security number – following a cyber breach in East Windsor in late February, reports Officials confirmed Wednesday.
Not all of the information was released to everyone, but “between 900 and 1,000” people had at least one aspect of their personal information breached, Township Manager Jim Brady told NJ Advance Media.
The township is in the process of notifying people if their information has been leaked by sending out letters in the mail, notifying them of the breach and the information that has been exposed. Victims of the breach include employees, retirees, former employees and residents.
Credit card and banking information was not disclosed because the township uses a third-party vendor for these tasks, Brady said.
The number of victims could increase, Brady acknowledged, as the investigation continues.
Township officials learned that personnel records were downloaded without permission during the breach “over the past three weeks”, he said. The delay in notifying people is due to the township’s process of finding and verifying information, he said.
“We had to finalize the information and make sure the information being released is correct,” Brady said. “We are doing it as soon as possible.”
He declined to answer who violated township systems or whether officials know the person’s identity.
The township hired Experian Consumer Service Identity Works to help notify those affected and manage the fallout, Brady said. There is no evidence the leaked data was misused, officials said, which the company’s forensic team verified.
As a precaution, the township is offering victims “free access to credit monitoring, fraud counseling and identity theft restoration services.”
East Windsor is responsible for a $25,000 deductible, Brady said. The rest of the cost will be covered by the township’s insurance, the Middlesex County Municipal Insurance Fund.
Brady confirmed the breach occurred after a township employee clicked on an email containing the virus, “between February 23 and 24.” As this was unintentional, the unidentified employee remains employed without disciplinary action, he said.
The official timeline of the cyber breach has been called into question.
Township officials first informed the public of the violation in mid-March, a week after they said they first became aware of it on March 7.
But a public records request revealed that the township’s insurance claim contained a loss date of March 1, six days before authorities said they first became aware of it.
Brady told NJ Advance Media that although the employee granted access to the virus in late February, he was aware of the “email spoofing” and was told the fraudulent emails were a problem with their email provider, not an internal problem.
When employees arrived at work on March 7, they found they were locked out of their system and became aware of the breach, Brady said.
East Windsor continues to work with the FBI, Bureau of Homeland Security, New Jersey Cybersecurity and Communications Integration Cell, and state police on the breach.
In response to the breach, the township replaced its server, VPNs (virtual private networks), desktops and software, Brady said. Passwords have also been reset and virus protection has been added.
Employees will also receive in-house virus training going forward, Brady said.
© 2022 Advance Local Media LLC. Distributed by Tribune Content Agency, LLC.