On March 22, 2018, a cyberattack hit the City of Atlanta. A ransomware program infected the City’s computer systems. That malware encrypted the city’s files, and officials believe it may also have provided unauthorized access to the City’s data to a group of hackers (although, the City says it has not yet “seen any evidence that personal information has been misused as a result”). The hackers demanded a ransom payment of six bitcoin (valued at approximately $50,000).
The attack left the City’s employees shut out of the systems that power the municipal government, including email and systems allowing residents to pay fees and fines, such as traffic tickets and water bills. City employees were not able to turn back on their computers, printers, or City-issued devices for five days, until March 27th. If there is any good news to be found, it is that emergency services (police, fire, and 911) were not among the agencies affected by the attack.
The same hacking group responsible for the Atlanta incident has attacked businesses, hospitals, colleges and government agencies around the country since December 2017, “earning” them ransom payments of more than $800,000.
Troublingly, local media in Atlanta have reported that the City of Atlanta knew months before the incident that the City’s information technology office needed far more resources. The City’s failure to implement plans to protect IT systems had left it wide open to outside threats. An internal City audit conducted in the summer of 2017 had revealed “severe and critical vulnerabilities,” as well as that the City had “no formal processes to manage risk [of data security incidents].”
It is no surprise that a municipality would make an attractive target for a malicious hacker looking to steal or ransom valuable information. For taxation and other purposes, local governments routinely collect and maintain files of private and confidential information about their residents. Personally-identifiable information abounds in public records, including names, addresses, dates of birth, and Social Security numbers. When left exposed and taken up into the wrong hands, that information can be used to perpetuate identity theft and other fraudulent activity.
For public entities battling tight budgets, planning for a cyber-attack with appropriate policies and procedures may seem difficult to manage.
But ransomware and other information security incidents can be avoided through training and education, security assessments and IT support, strong data security policies, appropriate breach response plans, and attention to insurance and indemnification issues.