Update: February 16, 2018
Alameda County Library informed you of a cybersecurity incident involving the names and addresses of an unknown number of library patrons. Today, we can tell you what we have learned from the investigation.
Our investigation indicates that patron names and addresses were accessed on August 15, 2017, August 16, 2017, and September 11, 2017. The information was accessed by an unauthorized party through a vulnerability in the Library’s catalog website provided by our software vendor. We identified the unauthorized access via the catalog website’s logs.
The website vulnerability was fixed on December 8, 2017.
According to the log entries that show unauthorized access to patron data, there is no information that indicates patrons’ driver’s license numbers or birthdates were accessed.
Additionally, library card barcodes were accessed separately from names and addresses. These barcodes did not include corresponding patron names. A library card account cannot be accessed without a patron’s name.
How many library card holders were affected?
Our investigation indicates that 325 patron names and addresses were accessed by an unauthorized party
How can I find out if I was affected?
Patrons can contact us by email at firstname.lastname@example.org or by phone at 510-745-1504. If you would like to make any changes to your library card account, please contact your local branch of the Alameda County Library system. Patrons should report any suspicious activity associated with their library account to their local library.
What is the status of the investigation?
After working with law enforcement and technology service providers, the Library has completed its review of the facts and circumstances surrounding the incident, and has concluded the investigation.
What can be done to prevent this from happening again?
As a result of this incident:
- Library IT staff worked with our software vendors to conduct a systems and security analysis with respect to data security, and will continue to be alert to data security threats.
- Although, neither patrons’ driver’s license numbers nor birthdates were accessed, the Library is considering changes to our policy regarding the types of information we collect. Specifically, Alameda County Library is reviewing the need to collect optional data such as driver’s license number, birthdate, and email.
The Library hopes to pave the way for other libraries to re-evaluate the types of information collected from patrons.
October 20, 2017
Alameda County Library is investigating a cybersecurity incident involving the names and addresses of an unknown number of library patrons. On September 11, 2017, the Library was contacted by perpetrators who provided a list of approximately 35 Library patron names and addresses. The perpetrators claimed to have this information for the Library’s entire database of users, and threatened to sell the information.
The data provided to the Library did not contain additional personal information that the Library collects, such as birthdate, driver’s license number, or e-mail. The Library never collects social security numbers, financial or credit/debit card information, or medical information.
How Did Alameda County Library Respond?
The Library reported the incident to law enforcement and is continuing to investigate exactly how many library card holders are affected.
Library patrons and taxpayers have every right to expect that their personally identifiable information is protected. We are committed to finding out how this happened and to prevent it from happening again.
Was My Name and Address Accessed by the Perpetrators?
Alameda County Library has mailed letters to the 35 known affected patrons.
How Many Library Card Holders Are There?
There are approximately 400,000 library card holders. At this time, the Library is continuing to investigate exactly how many library card holders are affected.
What Information Does the Library Database Contain?
The patron database record includes a name, address, telephone number, library card number, and an optional birthdate, email address, and driver’s license number. The Library never collects social security numbers, financial or credit/debit card information, or medical information.