City News

Posted on: August 24, 2020

Notice of security breach for City of Lafayette residents, employees, and customers

Notice of Security Breach

This public notice is intended to advise residents, employees, and customers of an incident involving a cyberattack on the City of Lafayette’s computer network system, and possible security breach of personal information stored on the City’s system. Although we are unaware of any actual acquisition or misuse of personal information, we are providing notice to potentially affected individuals about the incident and resources available to protect individuals against possible identity theft or fraud.

What Happened?
On July 27, 2020, a ransomware cyberattack on the City’s computer system disabled network services resulting in disruptions to phone service, email, and online payment and reservation systems. The City’s system was shut down and disconnected that morning, and any access the cyber criminals had was cut off at that time. We do not believe personal credit or debit card information was compromised because the City uses external PCI-certified payment gateways, which were not accessible or affected in the cyberattack. There is no evidence to suggest personal data was compromised, but out of an abundance of caution, residents and employees are advised to be vigilant to monitor accounts for suspicious activity. 

What Information Was Involved?
Personal information the cyber criminals may have had access to includes first and last name, driver’s license or identification card number, medical information, health insurance identification number, and username and password or log-in credentials to online accounts. It is unknown whether the cyber criminals copied any information from the City’s network.  Specific examples of personal information that may have been accessible to the cyber criminals during the cyberattack include:

  • Usernames and passwords for residential and commercial water bill accounts
  • Cemetery records
  • Names, health insurance identification numbers, and/or personal health information for persons transported by Lafayette Fire Department ambulance prior to January 1, 2018
  • Usernames and passwords for Bob L. Burger Recreation Center online user registration accounts
  • Usernames and passwords for online user registration accounts at the Indian Peaks Golf Course
  • Current and former City of Lafayette employees’ personal information, including Social Security Numbers, driver’s license or identification card numbers, and health insurance identification numbers
  • Liquor and marijuana licensee applications containing applicants’ Social Security Numbers and driver’s license or identification card numbers
  • Name and driver’s license or identification card numbers on traffic citations or other offenses, or on police reports or municipal court records

What Are We Doing?
Mutual aid from neighboring jurisdictions was brought onsite to assist, and a cybersecurity analyst was contracted to provide forensic investigation and recovery. Additional resources were deployed from the Boulder Office of Emergency Management and the State Office of Information Technology. The City assisted local, state, and federal law enforcement agencies in an extensive cyber investigation.   System servers and computers are currently being cleaned and rebuilt. Once complete, data will be restored to the system and all operations will resume. No permanent damage to hardware has been identified. 

The City takes the security and safety of our residents’ and customers’ data very seriously.   While there is no way to eliminate the risk of these types of attacks, the City is taking steps to install crypto-safe backups, deploy additional cybersecurity systems, and implement regular vulnerability assessments to prevent future data threats and safeguard personal information.

What Can You Do?
To protect yourself from the possibility of identity theft, we recommend reviewing banking and credit card statements and report any suspicious activity to relevant financial institutions. Individuals can place a fraud alert or security freeze on credit reports, free of charge, by contacting any or all of the consumer reporting agencies or the FTC listed below. 

Equifax                            Experian                          TransUnion LLC              Federal Trade Commission/Consumer Response 

P.O. Box 740241              P.O. Box 9554                  P. O. Box 2000                  600 Pennsylvania Ave. NW

Atlanta, GA 30374           Allen, TX 75013                Chester, A 19022              Washington, DC 20580

800/685-1111                  888/397-3742                  888/909-8872                     877-IDTHEFT (438-4338) 

For More Information
To inquire about the potential security breach, and for more information, please call 303-661-1250 weekdays between the hours of 9am and 4pm or visit

More info at:
Facebook Twitter Email

Other News in City News

pollco survey newsflash

Make your voice heard!

Posted on: February 11, 2021
Stay off ice

Stay off the ice

Posted on: February 19, 2021
October Connection Newsletter

February Lafayette Connection newsletter

Posted on: February 4, 2021
Boulder County Public Health

COVID-19 vaccine supply remains limited

Posted on: January 21, 2021
Designated Curbside Pickup Zones

Designated curbside pickup zones

Posted on: January 11, 2021
2020 Year in Review

Lafayette 2020 year in review video

Posted on: December 22, 2020
City news Community Grants

Arts in Community Grants available

Posted on: December 5, 2020
2021 annual budget graphic

City Council adopts the 2021 Budget

Posted on: November 3, 2020
Ride Free Lafayette

Ride Free Lafayette

Posted on: July 22, 2020

COVID-19 - Coronavirus Information

Posted on: October 25, 2020

Check out

Posted on: October 18, 2019
Resolution 2016-96

Equal protection under the law

Posted on: February 24, 2017