DOZENS OF MASSACHUSETTS MUNICIPALITIES have been targeted by ransomware attacks — cyberattacks on computer systems that are designed to extort money.
A shocking investigation from NBC 10 Boston found that many municipalities have been attacked and at least 10 municipalities have ponied up the cash, all of it taxpayer money. Many of the payments have been in the form of bitcoin — an encrypted, digital currency that experts say is “all but impossible to trace.” The ransom payments ranged from $300 to more than $11,000.
Ransomware is software intended to damage a computer system and often steal data. Hackers use it to take advantage of computer networks that aren’t as secure as they could be.
The analysis from the station’s Ryan Kath and Jim Haddadin shows one in six Massachusetts communities have been hit by these attacks.
Lt. James Graham of the Bedford Police Department described the moment two years ago when he saw an ominous message on his computer screen, telling him hackers had seized control of the department’s electronic records. “It was heartbreaking when I first saw it,” Graham recalled. “I’m like, ‘Oh, we’re done.’” As a result, dispatchers couldn’t log any new incidents in the records management system. The department ended up having a backup system, that restored the missing files in a few hours. But other law enforcement agencies were not so lucky.
In a South Coast town, a police officer ended up paying $4,600 out of his personal bank account because the department couldn’t get money together to pay the hackers in time. The town eventually reimbursed him. In Douglas, police paid $750 in ransom money but lost almost a week of police logs, which they had to recreate from arrest and crash reports. Athol’s police department was also hacked, and it took months for the agency to reassemble its data.
David Farrell, assistant special agent in charge of counterintelligence and cyber programs at the FBI’s Boston office, said ransomware is one of the agency’s top cyber security concerns.
Police departments aren’t the only ones being hacked. Just a few days ago, a physician organization affiliated with Boston Children’s Hospital said it was hacked, the Boston Business Journal reported. The Pediatric Physicians’ Organization at Children’s said it experienced a malware incident that caused a system-wide outage that affected 500 primary care physicians, assistants, and nurse practitioners statewide.
Educational institutions are also at risk. The Leominster School District and Bay Path Regional Vocational Technical High School were victimized by cyber and ransomware attacks. Leominster paid $10,000 in bitcoin ransom in 2018 that came out of the school’s general fund because the incident wasn’t covered by any insurance.
The state’s Office of Consumer Affairs and Business Regulation urges all of its licensees to develop cybersecurity plans and update them regularly. The Department of Homeland Security offers a digital toolkit for small businesses, educators, and industry professionals who are trying to figure out how to beef up security. According to a 2018 report from a special Senate Committee on Cyber Security Readiness chaired by Worcester Sen. Michael Moore, the state is following a 13-year-old cybersecurity plan.
The Massachusetts Executive Office of Technology Services and Security also developed a set of strategic priorities for cybersecurity in the executive branch. That’s the most recent update, and it only applies to the top-tier of the state’s government.
“Massachusetts, typically a trailblazer in technological policy, is currently lacking in its cybersecurity plans and tactics. Several other states have successfully implemented cybersecurity plans for both their public departments and private companies conducting business within their state,” said a report issued by the special Senate committee.
Moore and Needham Sen. Becca Rausch are currently sponsoring a bill that would establish a 13-member Cybersecurity Control and Review Commission that would recommend standards for cybersecurity measures for state data. Private sector businesses contracting with state agencies would be required to adopt those rules. A bill filed by Rep. Shawn Dooley of Norfolk would create a similar body in the House of Representatives.