The city of Wichita’s electronic procurement website – through which it handles everything from vendor payments to public bids – was the victim of a “sophisticated hacking operation” over the weekend, City Manager Robert Layton said Tuesday.
The hacking affects several local and regional vendors, some city employees and a select number of Wichita residents. But information was not taken from the city’s bill payment databases, meaning that city utility customers are not affected.
Wichita officials are working with the FBI, Wichita police and other law enforcement agencies to determine what information the hackers may have obtained and how similar incidents can be prevented, Layton said. In the meantime, the website is down, delaying the city’s plans to take bids Friday on at least one project.
Wichita police Capt. Gavin Seiler said the hacking occurred sometime between shortly after 1 a.m. Saturday and 8 a.m. Monday.
As soon as city officials discovered the attack, Seiler said, they shut down the system and notified police, the FBI and the state’s security office to determine the scope of the incident.
“Late in the day on Monday, they were able to determine the breach had occurred and that it was widespread,” Seiler said.
Based on current information, as many as 29,000 vendors and employees may be affected. The cyberthieves may have obtained Social Security numbers, taxpayer identification numbers and banking information.
It’s not the first time hackers have attempted to gain access to the city’s computer databases, Layton said.
“The system always beats them back,” he said. “But not this time. This was a pretty sophisticated hacking operation.”
Seiler said the hackers may have compromised the private financial information of vendors who have done business with the city, such as those involved in building or construction, and current and former employees who have been reimbursed for travel and other expenses since 1997.
The hacking doesn’t affect the city’s payroll system, which is different, or the city’s utility bill collection system, Layton said.
In addition, any residents who have received payments from the city for any reason could have had their information compromised, Layton said. Those businesses, individuals and employees whose accounts may be affected are being notified by the city through e-mail, fax, mail and the Wichita.gov website.
“I can assure you that the city is working around the clock in ensuring everybody is notified; we have started that process,” said Arlene Sokolowski of the city’s law department. “As indicated, this is from the e-procurement site, so this does not affect every employee.
“We are in the process of securing, evaluating and auditing the system. At this moment, nothing has occurred. Nobody has been a victim. No one has gone into any accounts. However, just with that notification, we are suggesting those affected contact those credit agencies, put out a fraud alert, contact financial institutions and be proactive.”
The city is recommending that vendors with direct deposit business accounts and employees check with their financial institutions. They also recommended visiting one of the major credit agencies to sign up for free fraud-alert services.
If employees or vendors discover their information has been used illegally – resulting in financial loss – they should contact the Wichita Police Department at 316-268-4221.
The procurement website is one of 14 websites operated by the city, officials said.
Contributing: Beccy Tanner of The Eagle