Suffolk County, NY systems slowly crawling back online from crippling $5.2 million dollar ransomware attack in September.

Three months later, Suffolk County, NY is finally beginning the recovery process from having to resort to pen and paper after systems were taken offline by ransomware attackers on Sept 8th 2022. 

You can read our previous updates on the news here. 

The cyberattack that affected the county took down major systems and rolled the county back decades. 

Workers had to resort to pen and paper for their work, unable to access computer systems or records. 911 dispatchers had to record calls by hand. Real estate ground to a halt right as interest rates skyrocketed, preventing many from closing on or selling their homes for weeks. Payments to contractors and workers in the county had to be issues by handmade cheque, after being delayed. Students from the community college are unable access required documents to continue schooling. Tax refunds are on a 4+ month delay. Businesses, like Child Day Care’s, are struggling to obtain payments and keep their doors open.  

Officials have reported spending over $5.2 million dollars so far to find out what happened during the cyberattack but the county is still months away from recovery. The total cost of recovery is still unknown. An additional $12 million dollars or more has been budgeted towards forming a cybersecurity legislative committee in the county to investigate the attack and the hackers behind it. This comes after a $3.6 billion dollar budget was passed for cybersecurity in the county as well in response to the attack. 

The New York Times reported the story as “How a Cyberattack Plunged a Long Island County Into the 1990’s”.  

Suffolk County reported that the cyber attack went through more than 20 county agency systems through their online network which included the Police Department, Social Services, Soil and Water Conservation.  

Ransomware group, ALPHV – also known as BlackCat – posted details of their hack of the county on the dark web, claiming over 4TB of stolen data. 

“Extracted files include Suffolk County Court records, sheriff’s office records, contracts with the State of New York and other personal data of Suffolk County citizens,” a poster allegedly from BlackCat reported. 

Over Thanksgiving week, officials revealed the beginnings of some of what might have been stolen by hackers.  

This list currently includes: 

  • 470,000 Drivers licenses 
  • Passports 
  • Information of anyone who was issues a ticket between 2013-2022 
  • 26,000 current and retired employee’s social security numbers 
  • Anyone enrolled in the county’s medical plan since 2013

The county is offering free credit monitoring and restoration to those exposed and/or eligible.  

“There’s one and a half million people who live in Suffolk County and we have half a million people compromised,” said Suffolk County Comptroller John Kennedy.  

The county was operating on outdated systems without cybersecurity measures like two-factor authentication, which allowed the hack to occur.  

An IT expert who told News 12 they preferred not to be named, reported that it took five hours to turn off the more than 600 servers in the county to prevent further access to hackers. An amount of time that some cyber analysts feel was far too long. Any amount of time after a hack is detected gives attackers that much more time to steal information. 

“This [was] a failure to go ahead and be proactive” Kevin J McCaffrey, the presiding officer of the Suffolk County Legislator, said about the ransomware attack. This comes after reports that some officials in the county had previous fears for the levels of security of their devices before the attack, and had been rebuffed.  

Reported by the New York Times, “In June, Judith A. Pascale, the outgoing county clerk, requested a separate firewall for her office, concerned her office’s data was vulnerable. Emails between Ms. Pascale and Scott Mastellon, the county’s information technology commissioner, appear to show the specific request was rejected. The emails were first reported by Newsday and obtained by The New York Times. (The county disputed the characterization and said that it offered an equivalent technology but the clerk’s office did not use it.)”  

“It was a lesson learned, and a very expensive lesson,” county comptroller John M. Kennedy Jr., commented as he said that he now spends most of his days signing cheques by hand. “And we learned very quickly of the investment that we had to make in cybersecurity all along.

The Town of Islip, NY reported on Nov 25th 2022, that they detected cyberattack acting on their computer networks. Town officials shut down their networks and are in the process of restorations. Supervisor Angie Carpenter reported to Newsday that while 900 town computers were checked, “the public was not compromised in any way.”

Cyber analysts are unsure if this activity was related to the Suffolk County hack but investigations are underway.

Don’t think it can’t happen to you and fall victim to a data breach or cybersecurity risk. We at Motiva Networks can help you make a plan and see if your data has been compromised with a Free Confidential Cybersecurity Risk Assessment.