The credit card numbers and other personal information of nearly 12,230 people were stolen in a recent breach of the Foothills Park & Recreation District website.
The district announced the breach Oct. 1, saying it is working with the Jeffco Sheriff's Office to investigate the theft.
Credit card numbers, first and last names, and addresses were stolen from an online registration database at www.ifoothills.org or at one of the district's facilities. Ronald Hopp, Foothills' executive director, said the three-digit security code on the back of the credit cards was not stolen — Foothills doesn't ask for that information — so the damage may be more limited than originally thought.
"Maybe we'll get lucky and the hacker didn't know what to do with the information when they got it," Hopp said.
Online registration has been suspended until "additional protections" are installed on the district's website, Hopp said.
Foothills has hired a network security consultant to audit the computer system and recommend future security measures, Hopp said. He added that the consultant is paid by the hour, and he's not sure what the total cost will be.
More than 10,800 e-mails have gone out to people whose information was stolen, Hopp said. The rest have been notified with a mailed letter.
People who have done business with the district may want to contact each of the three credit reporting agencies — Equifax, Experian and TransUnion — and request a "fraud alert" be placed in their file so they are contacted before new credit-based accounts are opened or existing accounts changed, the district said. People should also request a copy of their credit reports from those agencies and review them.
The district created an information page on its website — www.ifoothills.org/securityalert — for people with concerns. The page has links to the credit reporting agencies and phone numbers to help with the situation. People can also call 303-409-2124 with additional questions.
The district noticed computer problems the middle of last week, and thought it could have been a computer virus, Hopp said.
"What we really think is that it's a sophisticated operation, and they actually put viruses in the system to distract from what was really going on," he said.
The cyber-thief apparently entered through a glitch in third-party software that the district uses for its online registration. The district came to the conclusion that personal data had been compromised Sept. 29. The breach was announced Oct. 1.
District lawyers are reviewing whether the data theft opens the district up to any liability.
"For right now, we're assisting people with notifying (credit reporting agencies), have a hotline set up, and we're suggesting they contact not only the credit agencies, but also the credit card companies to talk about what measures they can take to protect themselves," Hopp said.