Media Center

April 4, 2018
Publications

by Devin Chwastyk, CIPP/US

On March 22, 2018, a cyberattack hit the City of Atlanta.  A ransomware program infected the City’s computer systems.  That malware encrypted the city’s files, and officials believe it may also have provided unauthorized access to the City’s data to a group of hackers (although, the City says it has not yet “seen any evidence that personal information has been misused as a result”).  The hackers demanded a ransom payment of six bitcoin (valued at approximately $50,000).

The attack left the City’s employees shut out of the systems that power the municipal government, including email and systems allowing residents to pay fees and fines, such as traffic tickets and water bills.  City employees were not able to turn back on their computers, printers, or City-issued devices for five days, until March 27^th.  If there is any good news to be found, it is that emergency services (police, fire, and 911) were not among the agencies affected by the attack.

The same hacking group responsible for the Atlanta incident has attacked businesses, hospitals, colleges and government agencies around the country since December 2017, “earning” them ransom payments of more than $800,000.

Troublingly, local media in Atlanta have reported that the City of Atlanta knew months before the incident that the City’s information technology office needed far more resources.  The City’s failure to implement plans to protect IT systems had left it wide open to outside threats.  An internal City audit conducted in the summer of 2017 had revealed “severe and critical vulnerabilities,” as well as that the City had “no formal processes to manage risk [of data security incidents].”

It is no surprise that a municipality would make an attractive target for a malicious hacker looking to steal or ransom valuable information.  For taxation and other purposes, local governments routinely collect and maintain files of private and confidential information about their residents.  Personally-identifiable information abounds in public records, including names, addresses, dates of birth, and Social Security numbers.  When left exposed and taken up into the wrong hands, that information can be used to perpetuate identity theft and other fraudulent activity.

For public entities battling tight budgets, planning for a cyber-attack with appropriate policies and procedures may seem difficult to manage.

But ransomware and other information security incidents can be avoided through training and education, security assessments and IT support, strong data security policies, appropriate breach response plans, and attention to insurance and indemnification issues.

The McNees Privacy & Data Security team assists municipalities, colleges and universities, and businesses by helping to plan for and limit the risk of data security incidents.

© 2018 McNees Wallace & Nurick LLC
McNees Privacy & Data Security Alert is presented with the understanding that the publisher does not render specific legal, accounting or other professional service to the reader. Due to the rapidly changing nature of the law, information contained in this publication may become outdated. Anyone using this material must always research original sources of authority and update this information to ensure accuracy and applicability to specific legal matters. In no event will the authors, the reviewers or the publisher be liable for any damage, whether direct, indirect or consequential, claimed to result from the use of this material.