Additionally, both Superintendent of Schools Joel Boyd and City Manager Tom Golden have allocated more than $1 million combined funding from their respective budgets to purchase LifeLock protection for all current city and school employees impacted by the cyber breach.
LifeLock is identity theft protection software, that, according to the company's website, "monitors for identity theft, the use of personal information, and credit score changes."
On May 11, Play said it had released 5 gigabytes of data from that theft and posted it to the dark web.
The dark web is a part of the Internet that isn't indexed by mainstream search engines and requires special browsers like Tor, permissions, software and system configurations to access. It is used to keep Internet activity anonymous and is fertile ground for illegal or criminal enterprises like Play.
Documents given to The Sun appear to show that the allegedly stolen data includes personal and personnel data such as medical billing records and employee disciplinary cases.
Chief Financial Officer Conor Baldwin told the City Council Tuesday that the total value of the no-bid contract is more than $1 million.
"We procured this on an emergency basis under 30B," Baldwin said. "And we had conversations with the Inspector General's Office about that. We came to LifeLock through sound business practices."
Chapter 30B is the law that governs the procurement of supplies, services and real property by cities, towns and other local jurisdictions in Massachusetts. It contains procedures to ensure open and fair competition for contracts paid for with public money.
Baldwin noted that the city has a vendor relationship with LifeLock's parent company, Norton, which expediated the emergency authorization and implementation.
"During open enrollment, city employees are able to — through the normal benefits process — sign up at a cost to them," Baldwin said. "So, because of this pre-existing relationship they were the first dial, so to speak."
Employees were notified of the free service via email earlier this week, with the city describing the hack as a "cyber-related event" and an "incident."
"Out of an abundance of caution, we are working to implement an identity and credit monitoring service for all city employees and their families," read the email. "The City remains committed to assisting any possible victims of this incident and is taking every step possible to prevent the further theft of sensitive data. The City is working with third-party experts to assist us in doing do."
On a related cybersecurity matter, Councilor Erik Gitschier asked Golden to request that Human Resources Director Mary Callery "send a letter to anybody who has been employed over the last three years for the city who has had direct deposit — some kind of generic letter that, 'here's what's going on,' that at least notifies people."
Golden thanked City Auditor Kelly Oakes and her auditing team for getting "every one of the employees that we have here in the city" paid.
MUNIS, an enterprise resource planning technology that manages financials, human resources, asset management and revenues for municipal governments, is back online, as is Larimore, a public safety software system used by the Lowell Police Department.
The city's last public update to residents was May 17, although Golden told the council that, "We've had 11 communications, whether they be small or in depth, to all the current employees."
©2023 The Sun, Lowell, Mass. Distributed by Tribune Content Agency, LLC.
