Sausalito City Government Hit With Cybertheft

Save ArticleSave Article

Failed to save article

Please try again

This article is more than 5 years old.
Sausalito in Marin County (Daniel Ramirez/Flickr)

The personal information of scores of current and former Sausalito government employees was exposed in an email phishing scam late last month.

The names, addresses, Social Security numbers and income records of 147 city employees were inadvertently emailed to someone claiming to be a Sausalito official, according to Melanie Purcell, the city's administrative services director.

"I wouldn't wish this on anybody," Purcell said in an interview. "There's a level of really feeling bad that we put employees in this position to deal with it."

A city worker emailed last year's W-2 tax forms to an "unknown, unauthorized third party" on Jan. 30.

The following day Sausalito employees received a letter, notifying them of the breach. The city says it told the Internal Revenue Service, Federal Trade Commission and the California Franchise Tax Board about the cyberthefts.


Two members of the City Council were among those whose information was exposed, Purcell said.

The Sausalito Police Department is investigating the breach. The FBI has been made aware of the case but has not opened a probe into it, according to Prentice Danner, a spokesman for the FBI's San Francisco division.

The worker who inadvertently handed over personal information of government employees was responding to an email that purported to be from a city official, Purcell said. The worker sent the data in an attachment to an email.

"In trying to be responsive to a request for information from the city manager, she jumped ahead of herself and sent out stuff that should not have been sent out," Purcell said, emphasizing that the city responded aggressively to the breach.

"The employee who released the information actually notified me as soon as she realized what it was, so we were able to jump on it very quickly," Purcell said.

There are no signs yet that the information has been used, she said.

The city has encouraged its employees to contact their financial institutions and credit reporting agencies to file fraud alerts and request consumer protection measures. Sausalito is also offering a free year of credit monitoring services to its workers.

The breach prompted CalPERS to begin an "administrative lock" on all of the city employees whose information was released, according to another letter sent to workers on Feb. 2. The lock, the letter explains, requires employer verification when an account is viewed or changed.

To prevent a similar hack, Sausalito is looking into strengthening its spam filters for city agency computer systems and creating new rules that employees would need to follow before they communicate about worker information over email, Purcell said.