Suffolk County is still reeling following a cyberattack in early September that forced the shutdown of web-based applications and websites. County Executive Steve Bellone has confirmed that cybercriminals have taken responsibility for the hack and county officials are working to protect sensitive data. The county has urged residents to closely monitor accounts and credit reports.
In posts to the dark web, hackers claimed access to 4 terabytes of county files, including “huge databases of Suffolk County citizens extracted from the clerk.county.suf. domain in the county administration.” A Sept. 24 update from the hackers, according to databreaches.net, claims the group will post 400 GB of county and contractor data. Newsday has reported that documents already published include speeding tickets, contracts with county vendor and a handwritten marriage license from 1908. The hackers have indicated they’re looking for a “small reward” to restore computer infrastructure and destroy obtained data.
Times Review spoke with Steve Morgan of Northport-based Cybersecurity Ventures about the cyberattack and how county residents can protect themselves. His answers have been edited for clarity and space.
Q: What should Suffolk County residents be concerned about in terms of their personal data?
A: This is not entirely known yet. According to the Suffolk County website, “While the cyber assessment remains ongoing, we believe that the threat actors accessed and/or acquired certain personal information from one or more County agency servers.” Until the county concludes its investigation and begins to notify residents, the concern is that your identity may have been stolen. To what extent has to do with any information a resident voluntarily entered on the county site OR any information obtained by any authorized party — for instance the Suffolk County Police Department — which was then stored on the county site.
The concern is great because the county is a victim, there is no worry about what they would do. The county wants to protect itself and its citizens. The worry is about what a cybercriminal would do. Historically, they publish data on the dark web in order to extort its victims. In the case of Suffolk, the hackers already published a limited amount of data, just enough to let the county know they’ve got it. That is a negotiation tactic. What else the criminals have and if it gets posted online remains to be seen.
Q: What steps can county residents take to protect themselves?
A: As a precautionary measure residents should immediately change passwords on all of their online accounts. They should also turn on multi-factor authentication (MFA) — two-step verification (2FA) in all of their apps. This requires an extra step to access any account. After entering your login ID and password, your app (i.e. email, banking, etc.) will send a secret code to your phone via text. You are required to enter this code to access your app. It turns your phone into a physical key. Most apps offer this feature but it is commonly turned off and consumers often don’t know about it. These security measures will go a long way in protecting residents — and frankly, they should be doing this anyway.
[Note: Suffolk County has posted cybersecurity advice for residents on its temporary webpage. Locals should “regularly review” accounts and credit reports, place a fraud alert on credit files, consider placing a security freeze on credit reports, and otherwise “remain vigilant,” according to the county.]
Q: In the wake of a hack at the county level, what should local governments do to prepare for similar attacks?
A: Every municipal government should have all of their data backed up all of the time, and an incident response plan that includes restoring that data to its systems in the event of a cyber – or ransomware attack. Their incident response plan should include immediate availability to cybersecurity experts and, if they are not employees, then a third party (cybersecurity firm) should be contracted.
It is critical that all municipal governments know exactly who and how to get in touch with the FBI, the lead law enforcement agency when it comes to these types of crimes. Remember, the county is a victim. Cybercrime is the only type of crime where there is not sympathy for the victim. There is a tendency to point fingers at the victim, in this case the county, and ask why they didn’t do this or that. This ransomware attack is not something the county brought upon itself. Cybercrime is the fastest growing type of crime and ransomware attacks are being launched on governments, schools, businesses and consumers, globally, every day.