The city of Gloversville notified more than 3,000 people that their data with the city may have been hacked following a security breach last spring, but otherwise kept the investigation confidential, following the advice of state and federal investigators.

The city issued a statement Friday adding details about the incident that began March 14, and for which the city eventually paid $150,000 in ransom to Eastern European hackers, and $250,000 in legal fees and security improvements.

“Since this was an active criminal investigation, it remained confidential, on a need-to-know basis, per the recommendation of State and Federal law enforcement agencies assisting the city,” the city announced, including the FBI, the Department of Homeland Security, the Secret Service and state police.

The city has faced criticism via social media following reports of the incident earlier this month. It posted a statement with details to social media and forwarded the statement to journalists.

“There’s been a lot of discussion on social media; it seems they’re slamming me and the administration for a lot of things that were completely inaccurate,” Mayor Vincent DeSantis said Monday, including that law enforcement authorities were never notified. “This tells exactly what we did from Day 1.”

The city negotiated with the hackers, talking them down to $150,000 from an initial ransom of $300,000, and to get the data back, the city reports. The data included personal identifying information of current and retired city employees, including payroll records, direct deposit information and account numbers.

“Meanwhile, the city took steps immediately to safeguard and secure any other sensitive information from further compromise and made all notifications in accordance with the law,” the city states.

It sent out more than 3,000 letters to notify people at risk of having personal information compromised and offering a year of credit monitoring and identity theft protection.

“The city also notified the attorneys general of nine states as required by law,” it states.

The investigation continues — the city was informed the attack had qualities that might allow it to be tracked — and the cybersecurity consultants told city officials they had received calls from two other cities and two corporations the same weekend, but did not identify them.

“There’s no such thing as having no chink in your armor,” DeSantis said, although security improvements since the incident in March mean the city now qualifies for cyber security insurance, which it is acquiring. “It’s not a matter of if you get attacked,........

© The Leader Herald