Not everyone had each piece of info leaked, but “between 900 and 1,000″ people had at least one aspect of their personal info breached, township manager Jim Brady told NJ Advance Media.
The township is in the process of notifying people if their info has been leaked by sending letters in the mail, informing them of the breach and what pieces of info were exposed. Victims of the breach include employees, retirees, former employees, and residents.
Credit card and banking information was not leaked, since the township uses a third-party vendor for those tasks, Brady said.
The number of victims may increase, Brady acknowledged, as the investigation continues.
Township officials learned the personnel files had been downloaded without authorization during the breach “within the last three weeks,” he said. The delay in notifying people is due to the township’s process of finding and verifying info, he said.
“We had to finalize the information and make sure the information going out is correct,” Brady said. “We’re doing it at the earliest point that we can.”
He declined to answer who breached the township’s systems, or if officials know the person’s identity.
The township hired Experian Consumer Service Identity Works to help notify impacted people and manage the fallout, Brady said. There’s no evidence the leaked data has been misused, officials said, which the company’s forensics team checked for.
As a precaution, the township is offering victims “complimentary access to credit monitoring, fraud consultation, and identity theft restoration services.”
East Windsor is liable for a $25,000 deductible, Brady said. The rest of the cost will be covered by the township’s insurance, the Middlesex County Municipal Insurance Fund.
Brady confirmed the breach occurred after a township employee clicked on an email containing the virus, “between Feb. 23 and Feb. 24.” Since it was unintentional, the unidentified employee remains employed without disciplinary action, he said.
The official timeline of the cyber breach has been called into question.
Township officials first notified the public of the breach in mid-March, one week after they said they first became aware of it, on March 7.
But a public records request revealed the township’s insurance claim contained a loss date of March 1, six days before officials said they first became aware of it.
Brady told NJ Advance Media that although the employee allowed the virus access in late February, he was aware of “email spoofing” and was told the fraudulent emails were an issue with their email provider, and not an internal issue.
When employees arrived to work on March 7, they found they were locked out of their system and became aware of the breach, Brady said.
East Windsor is continuing to work with the FBI, Office of Homeland Security, New Jersey Cybersecurity and Communications Integration Cell and state police on the breach.
In response to the breach, the township has replaced its server, VPNs (virtual private networks), desktop computers, and software, Brady said. Passwords have also been reset and virus protection has been added.
Employees will also be receiving in-house training on viruses in the future, Brady said.
© 2022 Advance Local Media LLC. Distributed by Tribune Content Agency, LLC.