What happened
Dayton, Ohio Mayor Shenise Turner-Sloss and Commissioner Darryl Fairchild issued a public statement on May 2, 2026, demanding accountability after the city’s Automated License Plate Readers were pulled from service following confirmation that data collected through the technology was shared in an unauthorized manner.
The statement reveals that the Dayton Police Department may have been aware of the unauthorized data sharing as early as October 2025, but did not disclose it publicly. In January 2026, the technology was presented before the city commission without any disclosure of the known breach, despite the mayor and commissioner having submitted written and in-person requests for an audit of the ALPR program and its data practices since at least January. Those requests were not acted upon.
The mayor and commissioner issued four immediate demands: full release of all ALPR audit logs from 2020 to the present; a complete accounting of when the police department first became aware of the unauthorized sharing and who was notified internally; an explanation of why the January 2026 commission presentation omitted disclosure of the known policy violation; and a comprehensive review of the City Manager’s performance. They also called for immediate action to bring the governing ordinance into compliance and ensure no surveillance technology operates outside proper legal oversight.
Who is affected
Dayton residents whose vehicle movements were recorded by ALPRs and whose data was shared without authorization are directly affected. The full scope of what data was shared, with whom, and for what purpose has not been publicly disclosed. The audit logs requested by the mayor and commissioner may clarify the extent of the exposure when released.
Why CISOs should care
The Dayton case is a governance and oversight failure as much as a data breach. ALPR systems collect sensitive location and movement data at scale, and the unauthorized sharing of that data occurred within a law enforcement environment where audit requests were ignored and disclosure was withheld from elected officials for months. For security leaders advising local government or public sector organizations on surveillance technology procurement and data governance, this case illustrates what happens when data practices for high-sensitivity collection systems operate without meaningful oversight structures.
The pattern of audit requests being ignored and breach disclosure being delayed is also directly relevant to any organization deploying location or behavioral tracking technology. The question of who has access to that data, under what authorization, and with what audit trail is a governance requirement, not an optional control.
3 practical actions
- Establish formal audit and access logging requirements before deploying any surveillance or location tracking technology: The Dayton situation developed in part because audit logs were not being reviewed and oversight requests were not actioned. Any deployment of ALPRs, CCTV, or similar data collection systems should include defined audit log requirements, access controls, and a designated oversight body with authority to review compliance.
- Define and enforce data sharing authorization frameworks for sensitive collected data: Unauthorized sharing occurred because the authorization boundaries for ALPR data were either unclear or unenforced. Ensure that data sharing agreements, authorized recipient lists, and approval requirements are documented and technically enforced for any high-sensitivity data collection program.
- Treat delayed breach disclosure to oversight bodies as a governance risk requiring its own controls: The police department’s alleged awareness since October without disclosure to elected officials or the public represents a disclosure failure as serious as the breach itself. Organizations should establish defined internal escalation timelines for known data incidents, with clear obligations to notify oversight bodies within a specified window regardless of whether investigation is complete.
Also in the news today:
- Ameriprise Financial Data Breach Exposes Personal Information of 48,000 Customers
- Congress Punts FISA Section 702 Renewal to June
- Edtech Firm Instructure Discloses Cyber Incident, Probes Impact
- FBI Links Cybercriminals to Sharp Surge in Cargo Theft Attacks
- ConsentFix v3 Automates OAuth Abuse to Bypass MFA and Hijack Azure Accounts
- 1,800 Developers Hit in Mini Shai-Hulud Supply Chain Attack Across PyPI, NPM, and PHP
