Thousands of files — including names, addresses and Social Security and credit-card numbers — have been compromised in a cyber attack on the city of Akron.
The city’s website and internal systems were hacked by a Turkish group. Some files were posted on the Internet.
The Beacon Journal will not provide information where these files may be found in order to protect possible victims.
Deputy Mayor Rick Merolla confirmed that a series of attacks got past the city’s firewall sometime Thursday. The city took its website down temporarily to assess the extent of the attacks. Initially, officials believed the only information affected was old city news releases.
Merolla said it appears the hackers got into the city’s internal systems and were able to access taxpayer information and tax preparer information.
The city is working with the FBI’s cyber crimes unit, Merolla said.
“This has obviously never happened to us before,” said Merolla. “I’m frankly perplexed that anyone got past our firewalls, which were all up to date.
“We thought we had everything protected. Apparently someone got past the sophistication we thought we had,” he said.
The hacked files were posted on a website and appear to include spread sheets. One file has more than 31,000 entries with names, Social Security numbers and addresses. Another file has account numbers and Social Security numbers.
In total, it appears that there are 47,452 entries in the various files. The vast majority of the entries appear to be individuals and their information. One file appears to be tax preparations companies.
Tyler Hudak, a senior security consultant for KoreLogic Security, an Annapolis, Md.-based computer security company, said workers for the company noticed the Akron website had been hacked. Because Hudak works in Akron, a co-worker emailed him.
Hudak said some files appear to have credit-card numbers with expiration dates from late 2012.
Some of the information is partial and some appears to have full names, addresses and Social Security numbers. It is unknown if there are duplicates in the files.
A Turkish hacking group called Turkish Ajan has claimed credit for the attack. Hudak said the group is part of Anonymous’ OpUSA Campaign, which has been specifically trying to hack into various U.S. government websites.
AkronNewsNow.com reported Thursday that a message from the group in Turkish and English decrying U.S. policy in the Middle East appeared on the city’s website.
A married couple who live in the city of Akron confirmed to the Beacon Journal that Social Security numbers posted from the hacked files are theirs. The Beacon Journal will not name these people to protect their identity.
“It does worry me and does anger me,” said the man. “Most of the time when it comes to the potential of identity theft, the thing I’m most cautious about is my Social Security number.”
The man blames the city for his information being released, but at the same time said that he also knows that “even the best efforts at security can be compromised.”
The man said he would be placing credit freezes on both his and his wife’s credit reports to protect themselves.
Merolla said city officials had not yet determined how to notify the victims or whether to offer services such as credit monitoring.
“We are working with law enforcement,” he said.
Merolla said he doesn’t think the city was targeted specifically.
“I don’t think it was aimed just at us,” he said. “It was one of those anonymous hackers that sends millions of files out.”
Merolla said the city will need to work on tightening its website security.
Hudak said if the city was not aware of the extent of the attack, that might mean the hackers were able to get through to other vulnerable spots on the city’s systems and could attack again.
“If the city didn’t fix the vulnerabilities they were hacked by, the bad guys can just get back in,” he said.
Hudak said his experience is that often companies don’t know they’ve been hacked or the extent of the damage until they bring in professionals.
He said he cannot say with any authority whether the hackers were intending to do malicious things, such as stealing identities with the information, or just showing they could hack the system.
Staff writer Stephanie Warsmith contributed to this report. Betty Lin-Fisher can be reached at 330-996-3724 or blinfisher@thebeaconjournal.com. Follow her on Twitter at www.twitter.com/blinfisher and see all her stories at www.ohio.com/betty.