McKinney, Texas officials have recently announced a data breach that took place in the fall of 2024.
What happened
On February 3rd, the city of McKinney, Texas, announced that they recently faced a security incident that resulted in the exposure of residents’ sensitive data.
According to their notice, the city was victimized by an unknown third party on October 31st, 2024. The attacker gained unauthorized access to the city’s network and the incident was discovered several weeks later, on November 14th, 2024.
As soon as officials learned of the breach, they immediately began an investigation, notified law enforcement, and worked to secure their systems.
While the breach mostly impacted residents of McKinney, it also impacted former residents. The city filed breach reports in compliance with state laws, showing that individuals in Maine, Texas, and Vermont were also impacted.
Ultimately, the breach impacted 17,751 individuals.
Going deeper
McKinney is a fairly small suburb of Dallas, Texas. It’s estimated there are about 213,000 residents.
According to their notice, a review of the investigation may have caused some delay in sending out breach notifications. The investigation, which began immediately upon discovery, determined on November 16th, 2024, that data had been accessed. After that, the city conducted a more thorough review, which they stated concluded on December 30th, 2024. However, although the review was complete, the city did not begin mailing out notices until February 4th, 2025. The city only notified individuals for whom they had a valid mailing address for. Other individuals would need to find the notice online, via the city’s public posting.
According to The Record, impacted data included names, addresses, Social Security numbers, driver’s license numbers, credit card information, financial account data, and medical insurance information.
What was said
As for the delay in notifications, the city said that after the initial review “the City has been working diligently to identify and obtain sufficient information in order to provide you with this notice.”
In response to the breach, impacted individuals are being given one year of free identity protection services. The city also noted that they currently have “reason to believe that there was potentially sensitive employee information impacted in the breach.”
The big picture
Currently, no threat actor has taken credit for the attack, but that doesn’t mean the data isn’t on the dark web. Impacted individuals should carefully monitor their statements and could be at an increased risk for spam-calls.
McKinney is far from the only city in Texas to be impacted by breaches. Dallas recently faced a ransomware attack, and multiple other cities and suburbs have been victimized within the last year.
In this incident, McKinney noted they only contacted individuals they had an address for, which should serve as a reminder that even if you have not received a breach notice, you could be impacted by one.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
