Tony DeGonia - U.S. Army Veteran | Senior Sales Engineer | Solutions Architect | Changer of Landscapes.

Data breaches are forever becoming more a part of everyday life in the United States. Hardly a day goes by when you can’t watch the news, read on the internet about another company having their networks breached by cybercriminals. Billions of records are exposed to hackers every year, 2019 was no exception.

Though many Americans expect the government to have the answers to combat cybercrime, the government is historically slow to understand the day to day rigors of cybersecurity. Only in the past few years has the Federal Government started to do anything publicly visible as far as an organized effort to combat cybercrime. However, most of their efforts are directed at Nation State attacks coming from many of the enemies of the U.S.

The best efforts for combatting cyber threats coming from a handful of State level governments in the form of laws and regulations around individual privacy. While this is a noble effort to protect the privacy of individuals this does little to combat the act of cybercrime. While the federal government increasingly improves their cyber posture to compete in the Nation-State war on the internet, this does little for many federal agencies who are left to fend for themselves in creating solid security plans.

Even worse, are the municipalities left with “guidance” from the FBI and other federal agencies charged with helping these small governments all over the country? While the guidance is okay and federal laws give teeth to the mandates, real help for these smaller governments is still a “hope and a prayer” away.

While direction for the “how” and “what” of protecting a municipality is getting better in most states especially, around law enforcement. The FBI’s Criminal Justice Information System dictates many of the guidance, policies, and procedures for local and state law enforcement in order to access the CJI Systems at the federal level. Many smaller municipalities sign contracts with their law enforcement agencies to dictate the IT and Security structure for both entities.

However, the larger the municipal entity, the more separation there is in systems, policies and procedures. While law enforcement agencies have numerous purchasing vehicles, at their disposal and have the availability to apply for numerous grants to supplement the financial needs of the agency easing the burden to implement technology and other needs and requirements. The local municipal government, though they are the ruling body do not have the ability to make use of as many grants and subsidies to provide the necessary systems and are generally on the much stricter budget requirement that the Law Enforcement Agency.

2019 saw AT LEAST 7.9 billion records, including credit card numbers, home addresses, phone numbers, and other highly sensitive information, that have been exposed through data breaches in 2019. This occurred across all business segments.

However to get more specific towards government and municipal breaches; at least 174 municipal institutions suffered ransomware attacks in 2019, according to research from antivirus software provider Kaspersky. This represents a 60 percent year-over-year increase.

In addition, cybercriminals demanded an average ransom amount of approximately $1 million and requested ransoms up to $5.3 million from municipalities this year, Kaspersky reported. They also frequently used the Ryuk, Purga, and Stop malware families during their municipality ransomware attacks.[1]

Below is a list of some of the worst government breaches of 2019. Make note that municipal breaches in 2019 started fast and furious and continued through the entirety of the year.

Unknown – Oklahoma Department of Securities, January 17, 2019

The Oklahoma Department of Securities (ODS) left millions of government files exposed and unprotected on an open server belonging to the agency. Amongst the exposed files were records pertinent to FBI investigations. The oldest records that were exposed dated back to 1986 and range from personal data to login credentials and internal communications records. The ODS is currently investigating how many records were exposed, who may have accessed them and the potential damage this data breach may have caused.

100,000 – Alaska Department of Health & Social Services, January 23, 2019

Alaska’s Division of Public Assistance was the target of a cyberattack that exposed data of at least 100,000 people. It is still unknown who the attacker was, but they were able to access the names, birth dates, addresses, social security numbers, health information, and income of people who had applied for government programs.

Unknown – The United Nations, January 29, 2020

Hackers compromised dozens of UN servers in the summer of 2019, yet the world body kept it a secret, even from its own employees. While the size of the breach is unclear, staff records, health insurance, and commercial contract data were compromised. As the UN is under diplomatic immunity, they are not required to divulge what data was taken or notify those affected. The UN was allegedly notified about several security issues years ago.

2.4 Million – Dow Jones, March 1, 2019

One of the most significant data breaches ever occurred on March 1st, when more than 2 million identity records including government officials and politicians were leaked online. According to reports from Zdnet, the information was stored, alarmingly, on a publicly accessible database.

2 Million – Oregon Department of Human Services, March 21, 2019

Government organizations are just as likely to suffer data breaches as hospitals, businesses, and two-person startups. On March 21st, the Oregon Department of Human Services announced that poorly trained employees had fallen for a phishing attack, comprising highly sensitive personal information of roughly 1.6 million people. This includes emails, addresses, names, and much more.

1.8 Million – Federal Emergency Management Agency, March 22, 2019

Data breaches are particularly harmful when they affect vulnerable people. In March 2019, the Washington Post reported that 1.8 million disaster survivors had their banking information plus their home addresses accidentally shared with contractors. These people had primarily sought shelter after wildfires and hurricanes.

Mars Mission Data – NASA, June 24, 2019

On the 24th of June, it was reported that NASA had experienced a significant security incident. According to this report, an unauthorized individual managed to access NASA’s Jet Propulsion Laboratory, making off with highly sensitive information. The hacker supposedly went undetected for 10 months and had access to many critical projects – including details about NASA’s Curiosity Rover.

78,000 – Maryland Dept. of Labor, July 6, 2019

According to Yahoo News, 78,000 people may have had their personal information exposed, due to a data breach affecting Maryland’s Department of Labor. The data reportedly occurred earlier this year and no evidence of malicious activity was found. Nevertheless, the Department is offering all affected customers two years free credit monitoring.

14,600 – Los Angeles County Department of Health Services, July 10, 2019

CBS Los Angeles reported that malicious actors managed to use a phishing attack to access highly sensitive personal information of 14,600 patients. 2019 has been a horrific year for customer privacy in the medical industry, with breaches occurring on an almost weekly basis.

According to reports, the Los Angeles County Department of Health is in the process of notifying patients. The phishing attack happened in March 2019, and the hackers seemingly had access to employee accounts for several hours. Among the exposed information are names, addresses, phone numbers, and patient information.

5 Million – Bulgaria’s National Revenue Agency, July 17, 2019

Bulgaria suffered a devastating data breach and the largest in its history according to The Next Web. Hackers managed to breach the National Revenue Agency and access highly sensitive information of 5 Million citizens. Bulgaria’s population stands at 7 Million, meaning that almost everyone is affected.

The compromised data includes personally identifiable numbers, addresses, and even income data. The hackers sent a download link to local media and stated: “The state of your cyber-security is a parody.” An investigation into the extent and ramifications of the data breach is underway.[2]

Palm Bay, Florida

Date: August 29, 2019

Number of records breached: Up to 8,500.

Information exposed: The billing information of up to 8,500 Palm Bay residents who pay their utility bills through the city’s online portal.

Description: A third-party company that operates the payment portal Click2Gov told the city of Palm Bay that it found evidence of malware that may have compromised the billing information of thousands of the city’s utility customers.

The good news is that the billing information contained on Click2Gov is encrypted. This means that if someone attempted to access the exposed information, they would be unable to do so without the unique decryption key to unlock and decipher it. This adds an extra layer of protection for Palm Bay customers.

According to news channel WFTV, the city of Palm Bay has since moved the billing information to a new server and removed any malware from the system.

Georgia Tech

Date: December 14, 2018, to March 22, 2019

Number of records breached: 1.3 million

Information exposed: Names, addresses, Social Security numbers and birth dates.

Description: Starting in December 2018, an unknown outside entity accessed a central database maintained by Georgia Tech University. The database contained the names, addresses, Social Security numbers, and birth dates of current and former students, faculty members, and staffers at the school. Georgia Tech said the information of 1.3 million people might have been exposed in the breach.

Georgia Tech says it is notifying 1.265 million people and offering credit monitoring and identity theft protection services to those whose Social Security numbers were exposed. The university has also established a dedicated call center for individuals who have questions about the breach.

What to do:

Georgia Tech recommends that university students, faculty, and staff actively monitor their credit reports, credit card statements, and bank statements for unauthorized activity.

If the university did offer you free credit monitoring and identity theft protection, consider taking it up on the offer. These services could help you determine if someone is using your information to make unauthorized purchases or opening accounts or loans in your name.[3]

Notable Municipality Ransomware Attacks in 2019

Cybercriminals launched many ransomware attacks against cities, towns and government organizations in 2019, including:

December 2019: The town of East Greenwich, Rhode Island battled and mitigated a ransomware attack.

Dec. 7, 2019: The city of Pensacola, Florida suffers a cyberattack that impacts its phones, email, and various e-commerce services.

Nov. 18, 2019: A ransomware attack shuts down Louisiana state websites and many online government services.

July 25, 2019: City Power, the electric utility for Johannesburg, South Africa, discloses a ransomware attack.

June 26, 2019: Lake City, Florida agrees to pay the ransom associated with a ransomware attack.

June 20, 2019: Riviera Beach, Florida, discloses ransomware attack and payment.

May 7, 2019: City of Baltimore hit with a ransomware attack.

April 2019: Cleveland Hopkins International Airport suffered a ransomware attack.

April 2019: Augusta, Maine, suffered a malware attack that froze the city’s network and forced the city center to close.

April 2019: Hackers stole roughly $498,000 from the city of Tallahassee, Florida.

March 2019: Albany, New York, suffered a ransomware attack.

March 2019: Jackson County, Georgia officials paid cybercriminals $400,000 after a cyberattack shut down the county’s computer systems.

March 2018: Atlanta, Georgia suffered a ransomware attack.

February 2018: Colorado Department of Transportation (CDOT) employee computers were temporarily shut down due to a SamSam ransomware virus cyberattack.

There are many things that municipalities can do to combat ransomware attacks, such as:

  • Implement data backup software and services.
  • Deploy endpoint, network and cloud security solutions.
  • Provide employees with cybersecurity awareness training.
  • Perform regular software updates and patching.
  • Use two-factor authentication (2FA).

Also, partnering with an MSSP can help a municipality prepare for cyberattacks. MSSPs can offer security services and insights that enable municipalities to optimize their security posture and limit the risk of data breaches.[4]

As far back as 2013, the FBI has stated for municipalities to “not pay the ransom”. However, many municipalities wind up paying the ransom simply because they don’t have the right personnel or access to the right personnel. This is caused by a few factors:

  1. Hiring and retaining good security talent is difficult
  2. Contracting with high-end security companies who can help to mitigate these attacks can be very expensive. Often, costing more than the municipal annual IT budget.
  3. Lack of understanding at the local level of the guidance given by higher-level agencies around how to secure their IT environment.

While these are problems that can be fixed with proper education, sound security planning, and an acknowledgment by local leaders that cybersecurity needs to be at the forefront of their efforts. Protecting their municipality, their citizens, and the vast amount of data held within the IT systems at the local level will, as with other high data-bearing industries become a priority. Someday.

References