The personal details of 55,000 Duluth and St. Louis County residents – including voter information – may have been compromised after a phishing attack on city servers.
Duluth Mayor Emily Larson confirmed the attack happened back in August when someone using their City of Duluth email account opened a message that was actually from a scammer trying to access personal information.
This gave the hacker temporary access to the worker's email account, and a probe has found they may have gained access to details of up to 55,000 people.
Among the information accessed was an old voter identification file, which Larson says contains mostly details that, apart from voters' dates of birth, are public already.
The current voter ID file has not been tampered with and Larson says there will be no impact on anyone who is planning to vote or who has already voted in the Nov. 8 elections.
"The Secretary of State has verified in writing that while this voter information has been potentially accessed, the current voter identification file for the Nov. 8 election has not been tampered with," Larson said.
"Meaning that the voter list for this fall, including those who choose to do early voting, absentee voting and election day voting, is clean and has not been tampered with or touched. Your vote is protected and the integrity of the voting process remains in-tact. If you have received the letter, please call the phone numbers listed to."
'The timing is terrible'
In her letter, Larson admitted "the timing is terrible" coming a week before the election, but felt it was better to notify people now rather than after the election.
"It’s just better policy to be clear and transparent and let you know what happened at the soonest possible time. Which is today," she said.
The reason the city didn't report it in August was because it took a significant amount of time to go through every file and account to check whose data was compromised and whose wasn't.
Larson said the city is reviewing and updating its security policies and practices, including more staff training, to ensure this doesn't happen again.
Phishing scams tend to take the form of fraudulent email messages that appear to come from legitimate companies, which direct you to a spoofed website that gets you to divulge private information, which the hackers then use to commit identity theft, according to Indiana University.
Duluth residents impacted by the scam can expect to hear from the city in the coming days with advice on how to proceed.