Grass Valley, California has suffered a data breach.

Upon discovering the incident, Grass Valley says they took immediate steps to secure their networks, contacted law enforcement, and began an investigation with the assistance of a cybersecurity firm. The investigation determined that an unauthorized person obtained access to specific Grass Valley computer systems between April 13, 2021 and July 1, 2021. After further investigation, it was discovered that the unauthorized person transferred files outside of Grass Valley networks.

Data that was accessed included that of:

• Grass Valley employees, former employees, spouses, dependents, and individual vendors, name and one or more of the following: Social Security number, driver’s license number, and limited medical or health insurance information.
• Individual vendors that were hired by the city, name and Social Security number.
• Individuals whose information may have been provided to the Grass Valley Police Department, name and one or more of the following: Social Security number, driver’s license number, financial account information, payment card information, limited medical or health insurance information, passport number, and username and password credentials to an online account.
• Individuals whose information was provided to the Grass Valley Community Development Department in loan application documents, name and one or more of the following: Social Security number, driver’s license number, financial account numbers, and payment card numbers.

“Municipalities struggle to identify and respond to data breaches, as I’ve experienced first-hand in the past,” says Elizabeth Wharton, VP Operations at SCYTHE. “They suffer significantly from the cybersecurity skills gap, often with limited budgets. The cybersecurity industry needs to give them tools that help their teams gain experience with real-world threats so that they can continuously validate their processes and technologies, but it needs to provide them at a price-point that makes sense.”