In a troubling incident that underscores the growing threat of cybercrime, the City of Santee, a suburb of San Diego, was apparently the subject of a cyber-attack on August 20, 2024. Just three days after the attack, on August 23, the city signed an agreement with Coveware, a ransomware recovery firm, at a cost of $603,000. The payment was later affirmed by the city council in closed session on September 10.
Despite swiftly authorizing a payment for cybersecurity services, city officials have offered scant information to the public about the breach, fueling questions about both the scale of the attack and the fate of residents’ personal data. According to an attorney hired by the city, Santee “experienced a data security incident involving the theft or encryption of company property.” When the San Diego Union-Tribune requested a copy of the Coveware contract, officials initially denied access, improperly citing attorney-client privilege even though Coveware is not a law firm. Only after being contacted by the newspaper’s attorney did the city release a heavily redacted version of the agreement; the limited visible text reveals only that Coveware was hired “in order to attempt to recover property.” Whose property was not stated.
A High-Priced Response with Few Answers
According to recent disclosures, the incident was first detailed in a closed session agenda for the Santee city council on August 28, described cryptically as a “threat to public services or facilities.” Bree Osborne, spokesperson for the City of Santee, confirmed that the incident led to an outage in the computer network “that services administration offices for the city.” While City officials maintain that emergency services and public safety systems were unaffected, they have yet to clarify what data may have been accessed or stolen. And while emphasizing that there was no impact on emergency services or public safety systems, Osborne’s statement that “we have largely resolved the issue” leaves questions about what aspects might remain unresolved.
“I can’t really say anything about that,” Santee City Manager Marlene Best told local media when asked about the investigation, declining to provide a timeline for when it might conclude. “We’re still working on some of that process, and realistically we’re doing good,” she added, without elaborating on what constitutes “good” in this context or how long it would take. As the investigation continues, the City maintains it is evaluating what information may have been compromised. Officials say the probe could take weeks or even months to complete and any notices to be sent to affected persons.
Potential Data Breach Concerns
Modern ransomware attacks often involve both system encryption and data theft. Luke Connolly, a threat intelligence analyst with cybersecurity firm Emsisoft, explains that cybercriminals, also known as “threat actors”, typically steal data and demand ransom for their return. In some cases, threat actors who steal sensitive data that could be harmful or embarrassing if released will demand money to keep the data concealed.
“Without more information we’re just speculating, but we do know that the cost was $600K, which seems like a large sum for at least a couple of the options,” Connolly noted. He added that “as long as organizations continue to make ransomware payments to the criminal gangs, the gangs will continue to look for and find new victims because they follow the money.”
Protecting Yourself: Immediate Steps for Residents
Given the uncertainty surrounding the breach, cybersecurity experts recommend Santee residents take these precautionary measures until it is determined and disclosed whose data was taken and when:
- Monitor your credit reports closely and consider placing a freeze on your credit with all major bureaus
- Review bank statements and credit card transactions carefully for unauthorized charges
- Be particularly vigilant about any unexpected emails or phone calls requesting personal information
- Watch for unusual activity in any accounts linked to city services
- Use complex, unique passwords and enable multi-factor authentication where possible
- Stay alert for potential phishing attempts that might follow the data breach
Regional Context: A Growing Threat
This incident isn’t isolated. After healthcare systems, government entities are considered the second-most-frequent target of cyberattacks across the country. The impact of such attacks can be severe. In Texas, the city of Borger had to operate its water supply manually because of a cyberattack in 2021, and computer systems in 22 small Texas towns were held for ransom in a 2019 hack. New Orleans, New York, and many other cities have reported cyberattacks and ransom demands in recent years. The San Diego region has seen several significant cyber incidents in recent years:
- In 2021, Scripps Health was hit with a cyberattack, with officials similarly withholding details about whether hackers threatened to release sensitive data or demanded ransom
- In May 2024, Palomar Health Medical Group suffered a cyberattack that shut down its computer systems, including digital phone services, making electronic medical records inaccessible for months
- In October 2022, both the San Diego Unified School District and the Sweetwater Union High School District were the subject of cyber-attacks and apparently made ransomware payments to cybercriminals.
The Cost of Silence
The substantial payment of public funds—$603,000—coupled with the limited disclosure, raises important questions about accountability and public’s right to know. The lack of transparency by the City of Santee about the basic nature of the attack and potential data exposure – were residents or employees affected, how many, and what type of data was accessed is fundamentally basic material — leaves residents in a precarious position, unable to fully assess their risk or take appropriate protective measures.
Call for Information
If you have information about the cybersecurity incident or have noticed suspicious activity potentially related to your interactions with City of Santee services, we want to hear from you. Your insights could help shed light on this important public safety issue, and your identity will be protected.
Contact the author, attorney Alan Mansfield at the Consumer Law Group of California.