Featured Story

Ransomware attack on Suffolk County heightens importance of cybersecurity for local municipalities

The cyber breach earlier this month that left Suffolk County systems in turmoil has placed a heightened emphasis on the importance of cybersecurity for local municipalities that can be particularly vulnerable to threats.

So far, town governments in Riverhead and Southold have remained relatively unaffected by the hack against the county.

The ALPHV/BlackCat and LockBit 2.0 ransomware groups have apparently been behind much of the activity targeting state and local government and education sectors in 2022, according to industry group SecurityScorecard. A message the group posted Sept. 15 threatened to leak information from more than 4 TB of stolen data, unless the county pays an unspecified “small reward.” 

There were 27 ransomware incidents affecting the public sector in the first six months of 2022, an almost 50% decrease from the number that occurred in the first half of 2021, according to an August report from cybersecurity company Emsisoft. Those 27 incidents are estimated to have cost governments more than $218 million.

Suffolk County has “crime protection insurance against computer hackers with unauthorized access who attempt to transfer funds or securities to unauthorized accounts,” a spokesperson said. 

They did not elaborate on how the county is upgrading cybersecurity following the most recent attack but said Suffolk has invested more than $6.5 million in cybersecurity since 2019, when it was the first New York municipality to contract with a vendor “to conduct a tabletop security exercise to evaluate network weaknesses and develop enterprise responses to cyber incidents.”

SEE ALSO — Q&A: Cyber expert explains how residents should protect data

“The ‘cyber checkup’ helped the county train and understand abilities to respond to a cyber threat and utilized this robust tabletop exercise to identify possible operating vulnerabilities,” the spokesperson said. Also in 2019, the county implemented mandatory cybersecurity training across departments. 

Documents posted so far by the ransomware group include speeding tickets, contracts with county vendors and a handwritten marriage license from 1908, Newsday has reported. A Sept. 24 update from BlackCat, as reported by the blog databreaches.net, claims the group will post another 400 GB of county and contractor data unless payment is made.

A Suffolk County spokesperson said the government “has begun the rolling restoration of services, including bringing the [Suffolk County Police Department’s] computer-aided dispatch back online for the 911 call center,” and anticipates “restoring additional critical services this week, in order of importance.” 

An anonymous writer running databreaches.net said in an email to a reporter that county files uploaded by the hackers showed they had access to backup tools that “should have provided the county with a backup to use for recovery from a data disaster.”

“But if the criminals had access to it, were they able to wipe out the backups?” the blogger, who goes by Dissent Doe, wrote. “I would ask Suffolk: Does the county have a recent and usable backup to restore from once it gets clean servers or has data been irretrievably lost/destroyed?” 

A county spokesperson said in an emailed statement that “assessment into the cyber intrusion is ongoing,” but did not otherwise elaborate on the state of backup systems.

Town Responses 

In Riverhead, town systems remain “fully functional” with increased security protocols, said Supervisor Yvette Aguiar. Town officials have been using “secondary methods” to communicate with the county and the Riverhead information and technology director is fully engaged in monitoring the town computer network day and night, she added.

When the supervisor took office in January 2020, she took “a quick assessment of our cybersecurity and it was absolutely minimal.” Hiring network and systems administrator Chip Kreymborg to head the IT department in May 2020 was the key move the town made to improve its cybersecurity, the supervisor said.

Mr. Kreymborg said the only impact the town is seeing from the county cyber breach is that Suffolk has been using “a secondary work-around to make sure all the work gets done, regardless of that secure connection being down.” The town doesn’t have access to systems the county took offline, he said. 

Southold Town has “quite a bit of security, including several firewalls,” according to Supervisor Scott Russell. He declined to discuss other protective measures and programs to avoid creating potential vulnerabilities. 

“While we know that no matter what measures you put in place, there’s always risk in a new world driven by technology,” Mr. Russell said via email. “We also regularly monitor and try to eliminate any ports of entry, including reminding staff not to click on any attachments without confirming the source. We are confident that we have very good protection from attack, although we do recognize that no measure of protection is foolproof. We maintain vigilance.”

Southold does not carry cyber insurance, the supervisor said, although the town would like to implement a policy in the near future. “It’s surprisingly difficult for governments to get,” he added.

Both the Mattituck-Cutchogue and Riverhead school districts suffered recent ransomware attacks. Riverhead significantly ramped up cybersecurity following the attack and Mattituck-Cutchogue has taken similar action. 

“We’re following the recommendations of the top people in the industry as far as what’s best practice for protecting data,” said Mattituck-Cut-chogue Superintendent Shawn Petretti, although he noted the district emerged “fairly unscathed” from an attack earlier this summer.

“Through the work that we’ve been doing and working with some different companies and Homeland Security, we’re taking additional precautions — can’t share all that with you, to protect our data. So we’re looking to come out of that even stronger than we were before we went in,” he added. 

No vital data was stolen in the attack earlier this summer, although the district had to rebuild services and upgrade cyber infrastructure. At an executive session on July 12, the Board of Education hired Kelly Urraro as the district’s director of technology, effective Aug. 8. 

Mr. Petretti said at a recent school board meeting that people in each district building were placed on “firewatch” after the ransomware attack, and each building has been hooked up to a hard drive. 

Riverhead Central School District was the target of a ransomware attack last November, in which 422 files/folders were compromised. Some of the potentially exposed information may have included the names, birthdates and addresses of students and their parents or other relatives, the district said earlier this year.

Since then, the district has implemented a system to detect and shut down potentially malicious activity, 24/7 monitoring and email encryption, and has switched to Google Cloud Services and invested in backup systems. The district also regularly tests for vulnerability, trains staff on cybersecurity and has prepared an incident response plan for any future cyberattacks.