More than 55,000 Duluth residents will receive letters in the next few days informing them that voter registration lists and other personal information may have been exposed as a result of an email phishing expedition at city hall.
The scam hit the Duluth city clerk's office, where an email account was compromised.
"It was just an email account. It wasn't our core files. So this wasn't a cyber hack. This was an email phishing scam apparently by someone from Ghana," said David Montgomery, Duluth's chief administrative officer.
Montgomery said the employee who fell for the phishing email had been working with the city's information technology department and initially thought she was responding to a legitimate request for information relating to a computer issue.
When she realized otherwise, Montgomery said the employee closed out, but the damage had already been done.
The sender of the suspect email was able to gain access to the employee's email account, which was then used to send out "something like 300,000 spam emails," Montgomery said.
ADVERTISEMENT
The breach occurred on Aug. 14 and was discovered eight days later, at which time the compromised email account was shut down immediately.
An ensuing investigation determined that the email intruder could have accessed several potentially sensitive documents, including:
- A voter registration list that contained 55,184 voter names, addresses, phone numbers and dates of birth
- A business license report that contained about 427 business names, addresses, some Social Security numbers and tax ID numbers
- Four business license applications that contained names, addresses, birth dates, tax ID numbers, Social Security numbers and driver's license or passport numbers
- Job applicant information for 14 people, containing personal contact information, driver's license numbers and questionnaire responses
Included in some of the documents were 184 Social Security numbers. Montgomery said the city will provide all of those individuals with credit-monitoring support for the next three years to guard against any identity theft crimes.
After the phishing attack was discovered, Duluth city staff notified police and the FBI, as it was determined to have originated from a foreign country.
The voter information is all considered public data, available upon request, except for the birth dates.
Montgomery encouraged voters to keep an eye out for any suspicious credit activity - always a wise idea - but he considers the risk of birth data leading to abuse to be remote at best.
"We do think date of birth is a relatively low-level piece of information. With that information alone, there's not much you can do with it. But it is personal information and we take that very seriously, so we want to make sure people are notified," Montgomery said.
He said there's no reason to believe the phishing attack was orchestrated to collect anything more than email addresses.
"We've had no indication from anybody and no indication through activity that this information actually was accessed. We believe, based on that, that this was a typical email spammer attempt simply to access email for use in spending out whatever spammers are sending out," Montgomery said.
ADVERTISEMENT
Minnesota Secretary of State Steve Simon expressed confidence that even if any voter information was inadvertently discovered through the phishing attack, that should have no impact on the integrity of next week's election.
"Based on what the city of Duluth has told us and our understanding of what happened, the information that was contained in the voter registration rolls would not have allowed anyone who wasn't that person to go in and change or somehow alter their registration status," he said.
"Our Minnesota statewide voter registration system - that's what our office runs, kind of the master database - to our knowledge has never been breached, compromised or taken down at any time," Simon said.
Even so, Simon said his staff looked for signs of any unusual activity in the wake of the phishing attack in Duluth.
"We went the extra step in an abundance of caution and we said: What if there was some way that someone could get in here? We did analysis of voter registration activity in Duluth around that date range, and we saw nothing out of the ordinary," he said.
St. Louis County Auditor Don Dicklich also said he sees no need for concern that the recent security lapse by the city could affect the coming election. He said the county sends election data to the city in password-protected encrypted files and shares info with the state using a secure system, too.
"There's no way that the firewall between us and the state was impacted when this happened at the city, and likewise, because we send encrypted information, there's no way for them to get back into our server through that city computer. We're 100 percent confident our data is all secure," Dicklich said.
Nevertheless, Duluth Mayor Emily Larson said she felt it was important to inform voters of the breach prior to the election next week.
ADVERTISEMENT
"This comes at a very highly charged time for people, with a national election that has people very anxious and alert and on edge. We certainly do not want to contribute to that, and we also think it's really important to be as clear and transparent as possible with this, which is why we came out with it now, rather than hanging onto it and coming out with something after the election," she said.
"Sitting on this for political reasons or because of the tone and tenor nationally, that actually felt like it would be a worse decision for the public. This is a right-to-know scenario. We stand behind that. My information is in there, too, so I'm in it with everyone else," Larson said.
Montgomery agreed that speedy disclosure was the best course of action.
"We've got an election coming up, and it's an election where a lot of allegations are being made as to the integrity of the voting process or whether the elections are rigged. We felt it was extremely important for the purposes of transparency and full disclosure that we get this out before the election. It just took us this long to go through all the investigative work that it takes to go through this many emails and files," he said.
"Anybody who does not get a letter was not impacted by this in any way and so should not be concerned, because there's no information of theirs that was accessed," Montgomery said.
Stephanie Pearson of Duluth received a letter Monday informing her that some of her personal information may have been disclosed as a result of the exposed email account.
"It really does concern me, in that this is a fundamental right of democracy, and if we have to be concerned about this information, we need to be concerned with a lot more," she said. "I want to believe in the best. I want to believe that we have a fundamentally sound system, but this makes me question it a little bit."
In order to field questions related to the phishing attack and possible repercussions, the city has set up a hotline at 1 (844) 565-4395 or (218) 730-4987.
ADVERTISEMENT
The city also incurred legal, investigative and mailing costs. Montgomery said he hasn't seen all the bills yet but he suspects the total cost of dealing with the phishing fallout will probably be between $35,0000 and $50,000.
No disciplinary action has been taken against the city employee whose email account was compromised, but Montgomery said the city has stepped up training and is looking to strengthen its security protocols.
Larson said the phishing misadventure was not an easy lapse to acknowledge.
"This is disappointing to me too, but it's still the right thing to do," she said.
