The investigation confirmed someone gained unauthorized access to the city’s network and to personal data, according to a news release, and prompted a renewed focus on cybersecurity.
“We take the privacy and security of the information entrusted to us very seriously. While we have safeguards in place to protect the data in our care, we are working to review and further enhance these protections,” Lea Eriksen, the city’s chief information officer, told Government Technology via email. “We are taking the necessary steps to best prevent a similar incident from occurring in the future.”
The city, which has nearly 450,000 residents, began notifying people by mail Monday and is offering complimentary credit monitoring for those who were affected. A call center number has been set up and an updated FAQ list made available in four languages.
An unauthorized third party accessed the city’s network sometime around Nov. 14, 2023, leading officials to take systems offline, declare a state of emergency and later allocate an additional $1 million for cybersecurity in the Fiscal Year 2025 budget. The accessed data contained personally identifiable information such as Social Security numbers, dates of birth, financial and medical information, and other sensitive identifiers.
Email, phone lines and public safety services, including 911, remained operational throughout, according to the incident updates on the city website. To maintain service continuity, the city expanded in-person support for functions like bill payments. Officials declared a state of emergency Nov. 17, 2023, and many systems were restored by Nov. 27. Utility billing resumed Dec. 4, and library services were fully restored by Dec. 15. As of October 2024, the city was still working with third-party cybersecurity experts to assess the breach’s scope. The incident was not caused by ransomware, according to city officials.
Long Beach continues to invest in cybersecurity improvements, its CIO said. That funding will go toward hiring experts, training employees, testing, and data loss prevention tools. The city, Eriksen said, regularly evaluates its security practices and requires all employees to complete annual cybersecurity awareness training.
