More than a year after a cyberattack compromised systems in Long Beach, California, the city has confirmed that sensitive data belonging to nearly half a million individuals was exposed. The breach, which occurred in November 2023, led to unauthorized access of biometric records, medical data, and financial information. The delayed disclosure—17 months after the incident—has drawn criticism from residents and security experts alike.
Incident Overview
The attack forced Long Beach to shut down citywide systems and deploy a stripped-back version of its official website during recovery efforts. An emergency proclamation was issued, and the FBI was brought in to assist with the investigation. The breach bears similarities to the 2024 Change Healthcare incident, which disrupted hospital operations nationwide. Unlike ransomware attacks, this intrusion involved data exfiltration rather than encryption, complicating detection and response efforts.
Technical Impact and Data Exposure
The breach affected 305,347 individuals, including residents, employees, and stakeholders. Exposed data included:
- Biometric information (irreversibly compromised)
- Medical records, including COVID-19 testing data from 2020-2021
- Social Security numbers and driver’s license details
City officials attributed the disclosure delay to forensic investigation requirements, but critics argue this left victims vulnerable to identity theft. The incident mirrors security failures in the Los Angeles Unified School District’s 2023 breach, where over 2,000 student records were leaked.
Response and Mitigation
Long Beach allocated $1 million in its FY2025 budget for cybersecurity upgrades and offered free credit monitoring to affected individuals. City Manager Tom Modica stated there was “no evidence of fraudulent activity,” while Mayor Rex Richardson faced scrutiny over the delayed notification. The city’s call center (888-802-9667) remains operational for breach-related inquiries.
Broader Security Implications
This attack highlights systemic vulnerabilities in government IT infrastructure, particularly legacy systems. The breach occurred as Long Beach prepares to host events for the 2028 Olympics, raising concerns about infrastructure resilience. Comparatively, the 2024 Change Healthcare cyberattack caused $1 million daily losses for 60% of impacted hospitals, demonstrating the cascading effects of such incidents.
Lessons for Security Professionals
The 17-month gap between intrusion and disclosure underscores the need for improved incident response protocols in municipal systems. Key takeaways include:
- Biometric data requires stronger protection due to its immutable nature
- Government entities should prioritize modernization of legacy systems
- Transparent communication timelines build public trust during breaches
For ongoing updates, the city maintains a dedicated network security incident page. Security teams should review the LAUSD breach analysis for comparable case studies in public sector cyber incidents.
References
- “AHA Report, March 2024,” Fierce Healthcare, [Online]. Available: https://www.fiercehealthcare.com/providers/aha-94-hospitals-financially-impacted-change-healthcares-cyberattack
- “Long Beach City COVID-19 Update 4/23/20,” Long Beach Local News, 23 Apr. 2020. [Online]. Available: https://www.longbeachlocalnews.com/2020/04/23/long-beach-city-covid-19-update-4-23-20/
- “Long Beach City Delays Nearly 2 Years to Disclose Breach Exposing SSNs, IDs, Biometric Data,” Long Beach Local News, 15 Apr. 2025. [Online]. Available: https://www.longbeachlocalnews.com/2025/04/15/long-beach-city-delays-nearly-2-years-to-disclose-breach-exposing-ssns-ids-biometric-data/
- “LAUSD Cyber Attack Includes at Least 2,000 Student Records,” Los Angeles Times, 22 Feb. 2023. [Online]. Available: https://www.latimes.com/california/story/2023-02-22/lausd-cyber-attack-includes-at-least-2-000-student-records
