City Hall NOT Hacked

Oct 1, 2012

  After further investigation, we have confirmed that personal information was not accessed by an unauthorized user.   Based on the best information we had available at the time, and in order to comply with state notification laws and perform due diligence, the City notified individuals whose information was potentially accessed, as a precaution.   “We are dedicated to the security and protection of our employees and citizens first. We had to treat this like a cyber-attack because every indication initially pointed to an attack,” said City Manager Jim Twombly.   A third-party consultant hired initially to perform an assessment of the City’s network and infrastructure was tasked last week with reviewing available logs. The firm confirmed, in response to the Administration’s request, that they found inconsistencies in the information initially pointing to a possible cyber-attack.   The City’s IT Department uses a separate third-party firm to periodically attempt to access the City networks to identify the system’s vulnerabilities and provide feedback. In this case, the firm used an unfamiliar testing procedure that was not immediately discovered. The test functioned as designed, and the City’s IT Department was able to identify and address vulnerabilities. As a result, the City of Tulsa has further secured and protected our systems, servers, and web users. We have confirmation from this firm that no personal information was accessed.   Mayor Dewey Bartlett said, “The good news is that we can now confirm that no personal information was accessed by an unauthorized source. In addition, we have used this opportunity to enhance our network security and strengthen processes that we would use to identify potential breaches.”   Bartlett said the KPMG efficiency recommendations called for further review of the Information Technology organization, including processes, practices and infrastructure. “The Management Review Office has been working on a Request for Proposals, and I’ve asked them to expedite the process in order to receive recommendations as soon as possible.”   As a result of the incident, the City mailed approximately 90,000 letters at a cost of about $20,000. “We did spend about $20,000 on a mass mailing in order to notify those who were potentially impacted. Again, our first priority, based on the information we had, was to notify and help protect those individuals,” Twombly said.