Thousands of people named in SPD records dating back several decades could be receiving letters stating their personal information — including Social Security numbers — may have been obtained in a data breach discovered in early 2025.
Syracuse officials — citing ongoing security protocols — won’t say how many people were affected or what specific data was compromised.
A March 27 letter to one potential victim obtained by syracuse.com stated that person’s Social Security number could have been compromised.
Syracuse began issuing letters in late March through cybersecurity firm IDX. Those receiving the notices can sign up for 12 months of free IDX credit monitoring and identity protection service.
City officials said the notifications went out after an investigation into what police initially described as a “security incident” involving its information technology system discovered on Jan. 11, 2025. At the time, the police department shut down its computer system to prevent the problem from spreading and it took several weeks for the system to be fully restored.
The city then worked with cybersecurity and forensic specialists to investigate “suspicious activity on our network” in which certain digital files were “accessed or acquired without authorization” between Jan. 10 and Jan. 12, 2025, according to the letter.
The investigation dug further into the content of the files to determine all of the people named in those files and the information about them that was included. That work recently concluded with the issuance of the letters.
Mayor Sharon Owens’ administration briefed the Syracuse Common Council on the matter after letters went out. Sources familiar with that briefing said as many as 15,000 people were named in the compromised files, which date back to the 1980s.
City officials said their response has been in compliance with and guided by state and federal laws regarding data breaches. The letters and free credit monitoring are being provided out of an abundance of caution. The city at this point is not aware of any person whose information was confirmed to have been exposed.
The letters include the city’s logo, but it has an address to a post office box in California that’s maintained by IDX. The letters include a QR code and an online link with information on how to sign up for the credit monitoring and identity protection.
“The city wants to assure the public that we have taken this incident and our response very seriously, and we remain committed to protecting the information entrusted to us,” city spokesperson Sol Muñoz told syracuse.com in an email.
The total cost to taxpayers for the response has been $250,000, which is the deductible for the city’s cybersecurity insurance policy, Muñoz said. Insurance is covering all expenses beyond the deductible, including the costs for mailings and the credit monitoring for affected people who sign up.
Data breach and exposure notices have become common in recent years due to laws requiring disclosure and a large number of breaches taking place, IDX said on its website.
In 2025, 278.9 million victim notices were issued in the United States, according to the Identity Theft Resource Center. That figure was actually 79% lower from 2024, a situation that the center attributes to cyber attackers shifting away from massive breaches and focusing on “more frequent, targeted attacks on high-value data sources.”
©2026 Advance Local Media LLC., Distributed by Tribune Content Agency, LLC.
