All Contra Costa County Library branches and the Martinez administrative offices are currently experiencing a network outage due to a ransomware attack.
The Library is working with the Contra Costa County Office of the Sheriff and the Contra Costa District Attorney’s Office to investigate the attack.
The affected servers have all been taken offline and some library services have already been restored. It may be several days before all library services are fully operational. Libraries will be open as regularly scheduled, you can check out and return materials and use public computers, though printing services are not available at this time. Some online services are impacted, but Discover & Go and Overdrive are operational.
“We apologize for the inconvenience this outage is causing our patrons and ask for patience as we work to get all services back online,” said County Librarian Melinda Cervantes. “We are working closely with law enforcement, including IT experts to gather information and prevent future attacks.”
The Library only collects name, address, phone number, email address and birth date. The Library does not collect social security numbers and does not store credit card payment information. In the past the library collected driver’s license numbers, but ended that practice in 2019 and removed all driver’s license information from customer records.
The Library has no evidence that any personal patron data has been compromised. The server that stores patron data related to library card accounts and transactions was not affected, still it’s always wise to monitor your personal information on a regular basis.
17 comments
Interesting, right after they convert to new software. Hopefully they will look at the vendor.
yeah right a little too convenient
so they paid the ransom and signed he NDA
gratz
OBAMA would be proud
hopefully it wasn’t 2 billion dollars to support terrorism
“All animals are equal, but some animals are more equal than others” has been moved from the fiction/commentary section to the self-help section. Only in California!
Despite their assurances that no personal information was compromised, I did show my Social Security card as one of the validations of identity when I applied for my new library card during this past year. I’m thinking she really only cross-checked that the info matched driver’s license and what I look like, though….. can’t recall that she copied down any of the info.
Still…..
We don’t ever ask to see any ID other than your drivers licence and a piece of mail if the address has changed. We would never ask to see your social security card, and there is no field to enter information from it. It doesn’t even work for proof of anything. If you showed it to a staff member, I’m betting it was an attempt to check out without having the card or ID.
@Antler From what I recall, they visually check that the name and address on the ID matches the data you provided. They don’t record anything other than your name, address, and optionally, a phone number and/or e-mail address.
That’s interesting that you provided additional validation of ID such as a social security card. Did they ask for this? I don’t recall being asked and typically never carry anything that could be used for ID other than my driver’s license and a credit card.
https://ccclib.org/get-a-library-card/ says “Current, valid ID with name, photo and address is required.”
Once I was somewhere such as an airport or the DMV and was asked for “additional government issued ID.” All I had was my library card which I showed them. It was accepted even though it only has the patron ID number and does not have my name nor picture. I thought that was odd, did a mental shrug, and was happy they let me through the checkpoint without further issues. I suspect it was more a test of attitude than the actual ID.
At present the main https://ccclib.org/ web has a notice about technical issues. The catalog seems to be fully operational. Oddly, the main web site does not link to the catalog at present even though the catalog seems to be fully operational..
If you try to sign in from the main web site you will run into notices that you can’t as they are having technical issues. However, sign in works if you do it via the catalog’s web site. I signed in and see the list of books I have checked out.
Was any personal data taken? I have no idea and in my case, I don’t care. If you plug my name into Google among the first hits are web sites with my full address, phone number, full date of birth, etc. everything on my credit report seems to be public information including the weird stuff about that for years was only on my credit reports.
@Captain Bebops – the back office servers for the web site, and catalog sites, and catalog database have always been Linux based. The desktops used by staff run Windows. The server that was hacked is a Linux server that hosts the new web site.
I renewed my library card in Oct. 2019 (at the Concord library – where we don’t live) and she didn’t ask for any ID at all. I did bring a piece of mail because when I called I was told to bring one. Hmm…
Glad we’re still spending billions on wars that no longer exist – while paying far too little attention to the future of warfare which is cyber.
Was the software running on Windows? It’s a very unsecure platform but of course popular. They should run on Linux which is much more secure though not as popular with the general public. Even Microsoft has a version of the Windows UI running on top of Linux.
Name
Address
Phone number
Email address
Birth date
Is a lot of perinformation . Why do they want us to think this is no big deal and our personal information hasn’t been compromised! Then the warning at the end to monitor our personal information on a regular basis.
If it was ransomware. It most likely did not compromise server data, which means did not upload any data to a malicious server. It probably encrypted “locked” the local server files and they are in the process of restoring from backups.
Correct. This most likely was an infected attachment on some email some person opened while on the internal network. I wonder if the walk-up PCs in the libraries are appropriately firewalled. The entire point of ransomware is to encrypt the files, not download them. Encrypting them is easy (and more profitable).
Why does the library need our birth date? That gives them and hackers 2 out of 3 pieces of information to steal our identities.
Candy’s comments about the birth date are false. The library does not look at or collect the birth date. The only time a person’s age comes up is that children under 13 will need a parent/guardian to be on the account. It’ll still be the child’s account. If it’s not clear just by looking at someone if the person is 13 or older they may ask. I assume they accept the person’s word. They accept school issued student ID cards as identification.
They ask for and retain your name and address so that if you don’t return something that they can contact you and/or send it to collections. They allow you to get a library card if you have no identification at all. In that case they ask for your postal address and mail a postcard to the address. You then bring the postcard in as proof of your address to get the library card.
They also ask for an phone number and/or e-mail but make it clear both are optional. These are used to notify you that books are coming due and that a hold is available. If you are worried, then get a free e-mail address from any of the free e-mail web sites and forward that to your regular address. Give the free address to the library. If the library is hacked the hacker will get a rather useless e-mail address. Plus, if that address starts getting spammed you will know that the library was hacked. It also protects your security/privacy as the library e-mail can’t be used to sign in on other web sites as you only use it for the library.
Hi WC
Please read the fifth paragraph of the article. It’s states birth date, I’m not making this up or giving false information. And I didn’t create this news article.
Sorry Candy – I missed your earlier reply. I also saw the birth date thing on the CC Times article and intend to call the library on Monday to confirm this. It’s on the the library’s news release which says “The Library only collects name, address, phone number, email address and birth date.”
I visited the Pleasant Hill library and it’s running normally with many people using the library today. You can return and check out books using the kiosk things. There is a glitch with the catalog computers in that some of the links don’t work today. The catalog works.
The friends of the library book store is having a 50% off sale.
There are also many Canada geese using the flood plain where the new library will be built. The geese seem quite happy as there’s now a fence around the field. In past years there was no fence and people would walk their dogs and sometimes would joy ride trucks/SUVs through the mud and shallow lake in the field. The geese seem to have also set up nest sites. Hopefully the goslings are raised and gone before construction starts.
Comments are closed.