City of Albany Cyberattack
New York’s Capital, Albany, New York – Hit by Ransomware Attack
Last updated September 30th, 2019
The City of Albany Cyberattack occurred on March 30th, with city officials working over the weekend to respond to the incident. The City of Albany cyberattack has made damages to the City of Albany and the extent or cost is not yet known. A press release has been issued on March 31st. on the official site for the Capital City of New York.
Mayor Kathleen Sheehan has made statements on Facebook, and Twitter that the city of Albany has experienced a cyber attack. The City of Albany cyberattack Facebook statement reads:
“**City of Albany Outlines Service Availability** On Saturday, the City announced that it experienced a ransomware attack. City officials have worked throughout the weekend responding to this incident. All city employees will report to work during normal business hours on Monday, and City buildings will be open to the public at 12:00 p.m. City Court services will operate during normal business hours.”
The Twitter status reads: “The City of Albany has experienced a ransomware cyberattack. We are currently determining the extent of the compromise. We are committed to keeping you informed and will provide updates as they become available.”
Mayor Kathy Sheehan is scheduled to hold a press conference on Monday, April 1st at 12:30 PM at Albany City Hall to provide an update on the availability of city services as detailed in a press release on Albany’s official website.
The mayor has not yet “disclose the specific strain of ransomware; whether Albany lost any data; or if the city paid any ransom to the attackers.” “Sheehan said the city is working to determine the extent of the compromise” (https://cbs6albany.com/news/local/city-of-albany-experiences-cyber-attack).
According to the Times Union, credit monitoring will be offered to all city employees as a precaution. Residents can use credit cards to pay taxes but Sheehan says the city does not keep the numbers.
April, 1st 2019 – April Fools’
This is no small joke or hoax. The breach raised major concerns for the head of the city police union. Greg McGee, head of the police union states the cyberattack took down a database used in police cruisers for background checks. The attack also took down the department’s own database, which has officers’ personal information and the department’s schedule for officers.
The Mayor continues to state the impact on police operations was minimal. Mayor Sheehan says there’s no evidence that any personal information was taken. The city of Albany is still trying to determine the root of the attack, no details have been made public.
Times Union’s Steve Hughes who attended the press conference states there is “no evidence personal data was taken”. The City still evaluating “system impacted, appears payroll services are affected. Employees tracking hours on paper. Won’t say if the city paid the ransom.” Mayor Sheenan “says the city was alerted by IT system that was wrong, still tracking the cost to the city.”
As detailed in a Facebook post made by Gregory McGee, Vice President of the Albany Police Officers Union (APOU): “Calls for service may take longer than expected to complete due to the fact officers do not have the tools at hand to provide the appropriate level of service.” The post then goes on to state “One has to ask the question of why a police department with sensitive information is on the same network that was so easily attacked. What are the contingency plans in an event like this? Why is there no information being explained to the members of the APOU? What is the timeline for services being restored so that the members of the APOU can provide citizens with the appropriate services? Is the sensitive personal information of APOU members secure, and what, if any, guarantees are there that it is”
According to the Times Union (https://www.timesunion.com/news/article/Albany-police-can-t-access-scheduling-system-13730578.php), “Police spokesman Steve Smith said Sunday that the department remains adequately staffed and there are no interruptions in service to the community.”
April 2nd, 2019 – Update
The city of Albany continues to try to recover from the cyber-attack over the weekend. Mayor Sheehan says no personal information was stolen during the ransomware. It was first discovered Saturday, March 30th and disabled a number of city computers.
April 5th, 2019 – The First Major Update
WYNT News Channel 13 is reporting that Albany Police Union Vice President Officer Gregory McGee has been notified by City of Albany Police Officers that there has been some fraudulent activity on their bank accounts. They’re noticing some substantial withdrawals are occurring,” said McGee, and some officers have had their bank accounts drained.
April 6th, 2019 – Coping with a Ransomware Attack
According to CNN:
- On Monday the police were able to digitally enter incident reports
- On, Tuesday the city was able to process marriage licenses again
- The police department’s scheduling program still is unusable
- Birth and death certificates are still unavailable
April 9th, 2019 – 11 Days post-attack
“City officials still have not released basic details on the attack” according to the Times Union. It has been reported that the city’s IT systems alerted administrators to a security issue because of the City of Albany Cyberattack.
April 10th, 2019 – 12 Days post-attack
Sheehan’s administration has given few details about the attack including “how the attack occurred, who is handling the investigation, and whether authorities have a sense of who launched it.” Nearly all public city functions have been available since last week, but some of the systems are still offline for the city of Albany.
Mayor Kathy Sheehan has not spoken publicly about the incident since April 1st. Mayor Sheehan will speak about the incident in a press conference at 9:30 am today.
According to a press reference and video posted on News 10 ABC. The Birth, marriage, and death certificates are were affect but now up and running. The mayors stated, “The issue is that we have a number of options, from which to choose for rebuilding the data that was lost, and so we need to determine the most cost-effective and efficient way to do that.” This implies data was lost and there will be funds needed to build new systems.
CBS 6 WRGB is has posted an additional video of Mayor Kathy Sheehan and Rachel McEneny, the Commissioner of Administrative Services. Mayor Sheenan did confirm it was ransomware “We were notified by email that our files had been encrypted and that in exchange for paying a specified crypto-currency our files would be decrypted.” The mayor stated they could not discuss specifics about the ransom. They have an investigation into the source of the attack. They are also still trying to determine where the vulnerabilities are in the city’s systems.
According to the mayor, some data was permanently lost, but that data was either old records or systems they didn’t need anymore. The mayor also addressed the rumors that multiple police officer’s bank accounts were drained during the cyberattack. The mayor has stated one office account was drained but it was for an unrelated incident that the problem started prior due to a successful phishing attack conducted over the phone three months prior and that it was an ongoing issue.
The city is providing identity and credit monitoring services for more than 1,300 city current employees, retired city employees, and temporary workers.
Mayor Sheehan has not given any estimates on how much the ransomware attack has cost the city so far.
Additional Cyber Attacks
Additional cyberattacks have occurred at the University at Albany. According to a post on albanystudentpress.net from April 2nd, 2019 “there have been several attacks over the course of the semester, with the most recent crashing the university’s domain name servers over spring break.”
DDoS (distributed denial of service) attacks work by paralyzing a computer network by flooding it with data sent simultaneously from many individual computers. Martin Manjak, Chief Information Security Officer at the University at Albany states the most recent March attack utilized over 600,000 IP addresses over a period of four seconds. The DDoS attacks seek to slow down online resources and have even crashed systems so students and faculty cannot use them.
September 27th, 2019 – 179 Days post-attack
The city of Albany paid roughly $300,000 to recover from the ransomware attack. The $300,000 cost included destroyed servers, upgrading user security software, purchasing firewall insurance, and improvements to the city’s systems following the attack. The money was taken from the city’s contingency account.
“The key that saved us is we had daily backup of mission-critical systems,” said Rachel McEneny, commissioner of Administrative Services in a follow-up (https://www.timesunion.com/news/article/Ransomware-attack-on-Albany-cost-300K-to-14473544.php) Times Union report.
McEneny said the city’s Information Technology department received alerts there had been an infiltration early Saturday morning on March 30th and was announced on April 1st. The system was shut down and the hackers demanded payment in cryptocurrency for the city of Albany to recover files they had encrypted.
“We have an offline, backup system. We restore backups to ensure service continuity,” McEneny said. “We didn’t have to pay the ransom because we had backups of critical servers,” McEneny stated restoring all of the city’s systems was over a time period of about two or three months and was done in-house with their own through the IT department. Some legacy systems obsolete systems were not rebuilt.
The City of Albany worked with the NYS Information Technology Services and FBI, but officials didn’t have an update on those investigations.
In the immediate aftermath of the attack, employees received daily updates and were offered credit monitoring. Every city desktop and laptop were scanned before being put back online. The 2020 proposed budget is expected to include a 25% percent increase in funding for the IT department, which will go to more future-proofing from cyber-attacks over the current $1.2 million budget.