Full Report
More than a year after a cyberattack on the government of Long Beach, California, the city is informing residents that information on nearly half a million people was leaked.
Analysis Summary
# Incident Report: Long Beach Government Data Breach (November 2023)
## Executive Summary
In November 2023, the government of Long Beach, California, experienced a sophisticated cyberattack resulting in unauthorized access to sensitive data affecting nearly half a million individuals. The investigation, finalized in March 2025, confirmed the exfiltration of highly sensitive personal identifying information (PII). The city responded by taking affected systems offline and issuing a local emergency declaration, though emergency services remained operational.
## Incident Details
- **Discovery Date:** Not explicitly stated, but the breach occurred in November 2023, with investigation concluding March 18, 2025.
- **Incident Date:** November 2023.
- **Affected Organization:** Government of Long Beach, California.
- **Sector:** Local Government.
- **Geography:** Long Beach, California, USA.
## Timeline of Events
### Initial Access
- **Date/Time:** November 2023.
- **Vector:** Not specified, implied sophisticated cyberattack leading to system breach.
- **Details:** Attackers gained unauthorized access to government systems.
### Lateral Movement
- **Details:** Attackers achieved unauthorized access, leading to the confirmed exfiltration of data. Specific lateral movement techniques are not detailed in the provided context.
### Data Exfiltration/Impact
- **Details:** Sensitive personal information of 470,060 people was accessed and stolen. This included Social Security numbers (SSNs), financial account information, credit/debit card numbers, biometric data, medical data, driver’s license numbers, passports, and tax data.
### Detection & Response
- **How it was discovered:** The article does not specify the initial detection method but notes an "extensive" forensic investigation was conducted afterwards, concluding March 18, 2025.
- **Response actions taken:** Emergency services were not impacted, but some government systems were taken offline. The city website was down (email and phones remained available). A proclamation of local emergency was issued, and victims with leaked SSNs are being offered one year of identity protection services. A call center was established for victims.
## Attack Methodology
- **Initial Access:** Unknown/Undisclosed.
- **Persistence:** Unknown/Undisclosed.
- **Privilege Escalation:** Unknown/Undisclosed.
- **Defense Evasion:** Unknown/Undisclosed.
- **Credential Access:** Unknown/Undisclosed (Likely involved access to PII/Financial data).
- **Discovery:** Unknown/Undisclosed.
- **Lateral Movement:** Unknown/Undisclosed.
- **Collection:** Extensive collection of PII, financial, medical, and identity documents.
- **Exfiltration:** Data was successfully exfiltrated; no ransomware attribution was claimed.
- **Impact:** Mass exposure of sensitive personal data.
## Impact Assessment
- **Financial:** Unknown costs to the city; victims offered identity protection services. No indication of fraudulent activity reported by the City Manager.
- **Data Breach:** Sensitive data of 470,060 individuals, including SSNs, financial details, medical records, and passport information.
- **Operational:** Some government systems were taken offline in response, leading to delays in city services. Emergency services were reportedly not impacted.
- **Reputational:** Negative perception resulting from a large breach affecting hundreds of thousands of residents who were notified over a year later.
## Indicators of Compromise
- **Network indicators:** None specified (URLs/IPs defanged for security).
- **File indicators:** None specified.
- **Behavioral indicators:** Unauthorized access leading to massive PII exfiltration.
## Response Actions
- **Containment measures:** City systems suspected of compromise were taken offline.
- **Eradication steps:** An extensive forensic investigation and manual document review were conducted over 15 months.
- **Recovery actions:** Restoration of services and public notification/support (identity protection services, call center).
## Lessons Learned
- The investigation and subsequent notification process were highly time-intensive (15 months), which the city attributed to the need for certainty regarding the forensic results.
- The data accessed was extremely sensitive, indicating a high degree of success by the threat actors in targeting valuable repositories within the government network.
- The city chose not to disclose technical details of the incident to avoid exposing further vulnerabilities.
## Recommendations
- Strengthen security controls governing high-value PII databases (SSNs, financial records, biometric data).
- Implement advanced threat detection capabilities to reduce the time between initial intrusion and detection/containment, minimizing the data exfiltration window.
- Review incident response plans regarding the timeliness of mandated breach notifications, balancing forensic rigor with timely public disclosure requirements.