The document discusses a penetration test conducted by the city of Tulsa, Oklahoma. The city hired a security firm, SecurityMetrics, to perform a penetration test but mistakenly believed the test was a real cyber attack when vulnerabilities were found. As a result, the city sent letters to 90,000 residents warning them of a potential data breach and spent $20,000 on mailing costs and $25,000 on additional security measures. It was later revealed that the vulnerabilities were discovered during the contracted penetration test, not an actual hack. The chief information officer involved was placed on administrative leave.