The cyberattack that crippled Atlanta earlier this year may have been one of the more noteworthy hacks of a public entity, but the Georgia state capital certainly hasn’t been the only city targeted by cyber criminals in recent months – or even the one with the biggest ransom demand.
The Wall Street Journal reported in June that even smaller American cities haven’t slipped past the hungry eyes of hackers, and some of them have received much higher ransom requests – generally made in bitcoin and converted to reflect an approximate figure in dollars – than the $51,000 demanded by Atlanta’s hackers.
It was Spring Hill, Tennessee, that topped the Journal’s list of ransom bills, with $250,000 that was not paid after ransomware crashed the city’s computer system. Far behind in second place was Dawson County, Georgia, where hackers demanded $98,000 in April 2018, which also went unpaid. Leeds and Montgomery County in Alabama, the town of Rockport in Maine, and the St. Louis Public Library were just a few of the other public entities that were victims of cyberattacks in 2018, 2017, and long before that, too.
“It’s not a new threat at all and, frankly, it’s one that our firm and my practice have been focused on for a couple of years now. We were writing about this back in 2016 when it seemed to be that the hackers were focusing on local governments and school and hospitals and police stations,” said Jared Zola, a partner in Blank Rome LLP’s insurance recovery group. “We, at the time, were surmising that these types of organizations were maybe easier to target, and didn’t have the same level of data security and data security personnel that a large corporation may have.”
Other experts agree with those suspicions, though it’s also the specific data these public entities store that makes them vulnerable to attack.
“Normally, they store copious amounts of data on citizens, whether it’s tax records, property tax information, social security numbers,” said Velvet Johnson, an attorney in Michael Best’s privacy and cybersecurity group, adding, “A lot of these cities, local government, municipalities, they just don’t have the funding to invest in cyber security so they really haven’t hardened their infrastructure, which makes them a very easy target.”
Hackers who go after smaller public entities are aiming for quantity, not quality. They’re operating on volume, according to Johnson, which is easy to see when you look at the sizes of the demands. For instance, Licking County in Ohio was targeted in early 2017 with a ransom demand of $50,000, while Leeds got a demand for $12,000, of which $8,000 was paid. The end goal for the small public entity hacker is to actually get the money and not bankrupt a town or library.
“A public entity may not have those resources, so the size of the demand frequently is hundreds or thousands of dollars, but there’s a higher frequency of them,” explained Zola, adding that sometimes it’s just the threat of malware that can impact these entities. If a hospital receives an encrypted email claiming that nefarious malware has been uploaded to the system and giving them 10 hours to pay $5,000 in bitcoin, the administration might not have time to determine if that’s actually the case, especially since many public entities don’t have security professionals on site to do the digging.
Both Zola and Johnson recommend cyber insurance coverage as well as risk mitigation measures that should be implemented long before a ransom demand is made.
“Ninety per cent (90%) of cyber security attacks [are due to] what we describe as a lack of basic cyber security hygiene,” said Johnson, and teaching employees not to click on fishy links isn’t too costly, though insurance can also help with that.
“Having the right cyber insurance in place really helps alleviate a lot of the costs that would otherwise be spent on a full time data security professional or sophisticated data security measures being implemented proactively,” said Zola.