Suffolk County, still struggling to recover from a cyberattack earlier this year in which hackers reportedly stole 4 terabytes of data from county computer systems, revealed for the first time Wednesday specific information about a large-scale breach of a county network.
Personal data of individuals who were issued nearly half a million moving violations in the Suffolk County Police District during the past decade may have been accessed by hackers, Suffolk County Executive Steve Bellone’s office said in the Thanksgiving eve press release.
Approximately 470,000 moving violations were issued between 2013 and Sept. 8, 2022, the day the county took its computers systems offline in response to the cyberattack.
Driver’s license numbers of individuals issued moving violations during that time within the Suffolk County Police District — an area that takes in Suffolk’s five western towns — “may have been accessed by criminal actors,” according to the press release.
In addition, identification numbers (such as a driver’s license or passport) presented at Suffolk County’s Traffic and Parking Violations Agency in Hauppauge when paying by credit card for Suffolk County-issued tickets, including parking tickets, may have also been accessed, the release said.
Credit card payments to the TPVA are processed by a third-party vendor and personal information collected for those payments are not at risk, the release said. Parking tickets, red light camera tickets, and school bus camera violations themselves do not contain personal protected information, the county said.
Bellone announced that the county is offering “complimentary identity theft protection” to individuals who were issued moving violations by Suffolk County during the specified time period and people who paid Suffolk County-issued tickets, including parking tickets, at the Hauppauge TPVA office.
The complimentary identity theft protection services being offered to eligible individuals include credit monitoring, identity theft restoration services by cybersecurity firm Kroll, and identity fraud loss reimbursement coverage, that can reimburse victims for “certain eligible losses, including expenses and covered legal costs resulting from a subscribing member’s stolen identity event, fraud, theft, forgery, or misuse of that person’s data.” The policy being offered provides coverage for up to $1 million with no deductible and includes up to $10,000 reimbursement of stolen funds, according to the press release.
Complimentary credit monitoring and identity theft protection must be activated by Feb. 17. Affected individuals can activate the services at https://suffolkcounty.kroll.com/
“The protection of personal, sensitive information is a top priority for the county,” Bellone said in the press release.
The county took its computers and servers offline Sept. 8 in response to a widespread cyberattack. County officials have not provided much information about the attack.
After Suffolk went offline, a group that calls itself “Black Cat” claimed responsibility for the attack and provided some proof of access to county files on the dark web, threatening to dump more data unless the county contacts them and negotiates a “small reward” for their “work to find vulnerabilities on the Suffolk County computer network.”
The county has not acknowledged that any group has demanded a ransom.
County operations were crippled in the aftermath of the attack, with county websites, email, payments and other functions essentially knocked out when the county unplugged in response to the attack.
The county has been conducting a forensic investigation and working to rebuild computer servers and bring the government’s networks back online at a cost so far of nearly $5 million, Chief Deputy County Executive Lisa Black told county legislators at a hearing last month. Suffolk County Comptroller John Kennedy told Newsday the cost so far is likely more than double that figure, but “the invoices haven’t come in yet.”
The county does not have cyber insurance.
The County Legislature has created a bipartisan panel to investigate the cyberattack, to determine the source of the breach and how it happened. The panel has been given subpoena power by the legislature as well as the ability to put witnesses under oath and to retain outside experts to help in its investigation.
Legis. Anthony Piccirillo (R-Holbrook), chairperson of the legislature’s government operations and information technology committee, will chair the panel.
Newsday has reported that law enforcement and IT managers were alerted to suspicious activity on the county computer networks as early as June but did not act to contain it.
The Suffolk district attorney and the FBI both emailed the county’s cybersecurity officer near the end of June warning of the “possibility of an ongoing ransomware even,” Newsday reported last week.
The paper obtained emails from the county clerk to the county’s IT commissioner in which the clerk repeatedly complained about aged systems and outdated security technology and expressed worries about the threat of cybercrime. A cyberattack against the county clerk’s system would have “devastating” consequences that would perhaps be “beyond repair,” County Clerk Judith Pascale wrote in an email responding to IT Commissioner Scott Mastellon’s June 9 email rejecting Pascale’s request for a “higher level of firewall protection,” Newsday reported.
Bellone in his 2023 budget is seeking an increase of $8 million in IT funding, bringing the total to more than $32 million next year. The increase would fund 19 new positions, including a chief information security officer.
The survival of local journalism depends on your support.
We are a small family-owned operation. You rely on us to stay informed, and we depend on you to make our work possible. Just a few dollars can help us continue to bring this important service to our community.
Support RiverheadLOCAL today.