Pierluigi Paganini May 17, 2024

The City of Wichita disclosed a data breach after the ransomware attack that hit the Kansas’s city earlier this month.

On May 5th, 2024, the City of Wichita, Kansas, was the victim of a ransomware attack and shut down its network to contain the threat. The city immediately started its incident response procedure to prevent the threat from spreading and announced an investigation into the attack.

Wichita is the most populous city in the U.S. state of Kansas and the county seat of Sedgwick County. As of the 2020 census, the population of the city was 397,532

The investigation was conducted with the help of third-party security experts and the city also notified federal and local law enforcement authorities.

“We regret to report that certain online City services may be unavailable as we thoroughly review and assess an incident that affected some of our computer systems. As part of this assessment, we turned off our computer network.” reads the initial security breach notification. “This decision was not made lightly but was necessary to ensure that systems are securely vetted before returning to service.”

The City warned that some services may be temporarily unavailable while systems are offline, it did not disclose the family of ransomware that infected its systems and the name of the extortion gang behind the attack.

However, the LockBit ransomware gang claimed responsibility for the cyberattack on the City of Wichita.

A new update provided by the City of Wichita revealed that threat actors copied certain files containing personal information from its network. Copied files included incident and traffic information.

Copied files included incident and traffic information.

“As part of our thorough review and assessment of this matter, we identified that certain files were copied from our computer network without permission between May 3 and 4, 2024. These files contained law enforcement incident and traffic information, which include names, Social Security numbers, driver’s license or state identification card numbers, and payment card information.” reads the Notice of Data Event updated on May 14, 2024.

“We identified that this matter is related to a recently disclosed security vulnerability that affects organizations throughout the world.”

The notice also revealed that threat actors exploited a recently disclosed vulnerability to gain access to the city’s network.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Kimsuky)