The City of Tulsa, Oklahoma last week began notifying residents that their personal data may have been accessed — but it now turns out that the attack was a penetration test by a company the city had hired.
“City officials didn’t realize that the apparent breach was caused by the security firm, Utah-based SecurityMetrics, until after 90,000 letters had been sent to people who had applied for city jobs or made crime reports online over the past decade, warning them that their personal identification information might have been accessed,” writes Tulsa World’s Brian Barber. “The mailing cost the city $20,000, officials said.”
“An additional $25,000 was spent on security consulting services to add protection measures to the website,” FOX23 News reports.
“The third-party consultant had been hired to perform an assessment of the city’s network for vulnerabilities,” write NewsOn6.com’s Dee Duren and Lacie Lowry. “The firm used an unfamiliar testing procedure that caused the City to believe its website had been compromised. ‘We had to treat this like a cyber-attack because every indication initially pointed to an attack,’ said City Manager Jim Twombly.”
“The chief information officer who failed to determine that the hack was actually part of a penetration test has been placed on administrative leave with pay,” writes Softpedia’s Eduard Kovacs. “In the meantime, his position will be filled by Tulsa Police Department Captain Jonathan Brook.”