WILMINGTON — The City of Wilmington announced Wednesday it is conducting a security review of its media mailbox system, which provides public access to city council and staff emails. The terminal will be taken offline while the review is ongoing.
Carolina Beach, Wilmington and New Hanover County are the three local government entities offering public access to its email terminals.
Though not required by state law, the terminals allow the public — though they are mainly used by journalists — to sift through emails without filing a public records request, which take more staff time and resources to process. However, Carolina Beach removed its terminal from the public earlier this month after undergoing a cybersecurity audit from the National Guard, which indicated it was potentially violating privacy laws.
READ MORE: Carolina Beach’s public access terminal shut down permanently over privacy violations
Recent Port City Daily stories originating from access to terminal emails — or sourced with them for more information — include CFPUA’s billing structure being connected to more disconnections, the city’s response to homelessness, and developments planned for city limits.
Most recently, PCD also found emails in the terminal showing the city’s planning department has issued updated guidance in light of recent incidents of scammers impersonating city governments. Planning Director Linda Painter wrote in a Feb. 3 email that staff should no longer include developer contact info in case summaries, redact contact information from applications posted online, and recommend applicants exclude or redact contact info from any plans submitted to the city.
In a statement Wednesday, the city said its terminal take-down is temporary and Wilmington City Council would have final say on whether the system continues. An update regarding the terminal’s status is expected by the end of March.
“This action is being taken out of an abundance of caution, and there has been no security incident involving the City’s media mailbox,” city spokesperson Amy Willis wrote in a release. “Recent events have shown that public-facing email terminals can create access points that increase risk for residents, employees, and City operations. The City is proactively using this opportunity to evaluate public-facing systems that provide access to records and communications, particularly where sensitive information could be exposed or misused.”
Earlier this month, the Town of Carolina Beach announced nearly $500,000 in funds were stolen from the government in two cyberattacks taking place in December, the same month Pender County announced it was the victim of a scam that lost the county $650,000.
Just a day earlier, the Carolina Beach Town Council heard from its town manager, Bruce Oakley, that it would permanently shutter its email terminal after 12 years of operation due to cybersecurity concerns.
“The terminal was put there to alleviate the stress on Kim [Ward, town clerk] from having to pull public records all the time,” Town Manager Bruce Oakley said at the Feb. 10 meeting. “Now we can digitize that and go through the website to do that.”
While Oakley said the email terminal and cyberattacks were not connected, he noted the town’s IT team thought the terminal could leave the town vulnerable to other threats.
“People can get in there, get not only potentially information for the town, but citizens and employees who could put HIPPA information or banking information could be picked off there, and they determined it was a threat,” he said.
The IT department’s concerns were also backed up by the National Guard’s audit, presented to council at its Jan. 30 retreat. The cybersecurity audit found the town’s terminal process did not filter out information appropriately. Instead, its system was “automatically forwarding all staff emails” to a “centralized repository account.” Essentially, any email would go to a publicly accessible laptop in town hall, without discriminating between confidential emails and non-confidential ones.
The City of Wilmington addresses this problem by asking staff to label email subject lines “protected” to filter out medical or personnel details from what is viewable to the public. If a confidential or protected email gets through to the terminal, it can be removed.
When PCD asked if Carolina Beach had considered implementing such stopgap measures, Oakley said the IT department’s suggestion was just to shut down the terminal altogether.
As for New Hanover County’s email terminal, county spokesperson Josh Smith confirmed the county is not making changes to the public email terminal at this time.
At Port City Daily, we aim to keep locals informed on top-of-mind news facing the tri-county region. To support our work and help us reach more people in 2026, please, consider helping one of two ways: Subscribe here or make a one-time contribution here.
We appreciate your ongoing support.
