Full Report
The Superior Court of San Joaquin said that it experienced a cybersecurity incident last year during which personal information was leaked. Officials said an unauthorized person accessed court systems from Oct. 25-30, 2024, and copied certain files. Details: https://www.sjcourts.org/cybersecurity-incident/
Analysis Summary
# Incident Report: San Joaquin Superior Court Data Breach (2024)
## Executive Summary
The Superior Court of San Joaquin experienced a cybersecurity incident between October 25 and October 30, 2024, where an unauthorized actor gained access to court systems and exfiltrated sensitive files. This incident resulted in the exposure of significant personal identifying information (PII) belonging to court patrons. The court responded by enhancing security measures, offering complimentary identity protection services, and establishing a dedicated call center.
## Incident Details
- **Discovery Date:** Not explicitly stated, assumed shortly after October 30, 2024, based on published notification date (November 7, 2025, likely a typo in the source for 2024).
- **Incident Date:** October 25, 2024 – October 30, 2024.
- **Affected Organization:** Superior Court of San Joaquin County.
- **Sector:** Government/Judicial System.
- **Geography:** San Joaquin County, California, USA.
## Timeline of Events
### Initial Access
- **Date/Time:** On or before October 25, 2024.
- **Vector:** Unauthorized access to court systems. (Specific mechanism not disclosed).
- **Details:** An unauthorized person gained entry to the court's computer network.
### Lateral Movement
- **Details:** Attackers were able to move within the systems to access and copy certain files over the 5-day period.
### Data Exfiltration/Impact
- **Date/Time:** Occurred between Oct. 25-30, 2024.
- **Details:** An unspecified volume of files containing personal data was copied and exfiltrated. Affected data included names combined with Social Security Numbers, driver's license/CA ID numbers, tax IDs, passport numbers, military IDs, bank account info, credit/debit numbers, medical information, and health insurance details.
### Detection & Response
- **Details:** Detection occurred after October 30, 2024. Response included enhancing security measures on the network and notifying affected parties.
## Attack Methodology
*Note: Specific TTPs are generally not detailed in public notifications, thus descriptions are based on the outcome.*
- **Initial Access:** Unauthorized access (Mechanism unknown).
- **Persistence:** Implied, as access lasted for a 5-day window.
- **Privilege Escalation:** Implied, necessary to access and copy sensitive files.
- **Defense Evasion:** Implied, successfully operated undetected for 5 days.
- **Credential Access:** Unknown, but likely required to access PII files.
- **Discovery:** Implied, to locate and identify valuable files.
- **Lateral Movement:** Implied, to navigate systems and collect files.
- **Collection:** Copying of various sensitive files confirmed.
- **Exfiltration:** Data copying confirmed.
- **Impact:** Unauthorized exposure and theft of Personally Identifiable Information (PII).
## Impact Assessment
- **Financial:** Unknown, but the court offered one year of complimentary identity protection/credit monitoring services to affected individuals.
- **Data Breach:** Extensive PII exposure potentially including SSNs, financial data (bank/credit), government ID numbers (Driver's License, Passport, Military ID), and sensitive health information.
- **Operational:** The primary operational impact appears to be system integrity compromise over the five-day period and subsequent mandatory remediation/notification efforts.
- **Reputational:** Negative impact due to the disclosure of a significant PII breach involving sensitive legal and personal data.
## Indicators of Compromise
*No specific IOCs (IPs, hashes, domains) were provided in the source material.*
- **Network indicators:** N/A
- **File indicators:** N/A
- **Behavioral indicators:** Unauthorized access and systematic file copying over a multi-day period (Oct 25-30, 2024).
## Response Actions
- **Containment:** Access by the unauthorized person must have been cut off after October 30, 2024.
- **Eradication:** Full scope of infected systems and potential backdoors would need to be identified and removed.
- **Recovery:** Security measures on the court's computer network were enhanced to prevent recurrence.
- **Notification & Assistance:** A dedicated toll-free call center (844-354-1371) was established. Affected individuals were offered one year of complimentary identity protection and credit monitoring services.
## Lessons Learned
- **Detection Gaps:** The initial unauthorized access persisted undetected for a significant period (five days), indicating potential blind spots in continuous monitoring or anomaly detection for internal system usage.
- **Data Inventory:** The breach provided clear insight into organizations' most sensitive data types stored in court systems that require segmentation and enhanced access controls.
## Recommendations
1. **Implement Enhanced Monitoring:** Deploy 24/7 security monitoring focused specifically on detecting abnormal data access patterns, bulk file copies, and lateral movement within critical PII repositories.
2. **Strengthen Access Controls:** Review and enforce the principle of least privilege for all accounts accessing sensitive court data. Implement Multi-Factor Authentication (MFA) universally.
3. **Proactive Threat Hunting:** Conduct regular, proactive threat hunts using known TTPs associated with initial access and data exfiltration to identify potential low-and-slow intrusions before they escalate.