Back to the Mar-Apr 2019 issue

How to Respond to a Computer Security Breach

By Renee McGivern

On Dec. 19, 2018, Bigfork City Clerk Angie Storlie started her work day as usual by sitting down at her office laptop to read her emails. She spotted one from another city clerk with the subject line “In reply to November 30 meeting” and a Word document attachment named “Arvig.”

Bigfork, located in Itasca County, has 450 residents and a K-12 school, lumber mill, 20-bed hospital, and rural electric company that serves the region. The primary internet provider there is Arvig.

Storlie thought it was a bit weird that the clerk was forwarding an email about an old meeting but went ahead and clicked on the attachment. And then all heck broke loose on her computer.

“The document opened to a blue Word screen and, before my eyes, it shut down and so did every other Microsoft app,” Storlie says. “Then my background screen turned solid black with orange text that said they had seized all my data and that I had to wire $2,400 to a Syrian bank before they’d restore it.

“My heart sank,” she adds. “The email made sense, but yet it didn’t make sense, and that should have made me pause and not open it.”

Classic ransomware example

This is a classic example of ransomware, a form of malware that encrypts computer files and programs, so you can’t access them until you pay a ransom.

Storlie immediately contacted a computer service and repair business in Grand Rapids. The city has a $300 annual contract with Caverly Computing for remote monitoring and virus updating. A technician there accessed her computer and saw right away that her files and programs were seized.

Storlie didn’t pay the ransom. The city’s most important documents, as well as its accounting and billing software, are backed up on the cloud. Also, she was able to restore other files without a problem because she backs up everything on the computer regularly.

After dropping off her computer at Caverly for a week, she used the city’s public works laptop and got back to work.

“All I can say is, if there’s something not right about the email, don’t open it and check with the sender,” Storlie says. “And do a backup of your computer every time you work.”

Using cloud-based services to store important information is a great idea for cities, says Greg Van Wormer, assistant technology services director with the League of Minnesota Cities (LMC). But don’t jump into using one, as you might do with your personal computer.

“Have your city attorney review the terms of service of the cloud agreement to make sure it works with the Minnesota Government Data Practices Act,” recommends Van Wormer, who will be presenting a session on computer security at the League’s 2019 Safety & Loss Control Workshops in March and April. Make sure the terms state how the cloud service will keep your nonpublic data secure.

Watch out for phishing, too

Another common computer security problem is phishing. Hackers use clever ways to “fish” for important data like social security or credit card numbers. This, too, can start with an email from a familiar sender or what seems to be an official government or business representative, similar to Storlie’s situation.

The City of Albert Lea (population 18,000), located on the southern border of Minnesota, dealt with a phishing scam last summer. The city attorney was notified by the FBI that someone at the city had responded to a phishing email, and the scammer gained access to 330 W-2 forms with social security numbers of past and present employees.

“These hackers are so sophisticated and the emails so believable that it makes you wonder what they could accomplish if they applied themselves to the greater good,” says City Attorney Kelly Martinez.

Response to the breach

The first thing Martinez did was verify that the FBI agent really works for the FBI. Then she called the city’s information technology employee and pulled the managers together.

“We determined exactly what happened, who was impacted, and if anything else on our computers was affected,” she says. “I never did find out how the FBI knew about it, but we’re glad they notified us.”

Martinez also reviewed Minnesota Statutes, section 13.055, the law on disclosing security breaches, to make sure the city complied with notification and reporting requirements. The statute defines a breach of the security of data as “unauthorized acquisition of data maintained by a government entity that compromises the security and classification of the data.” The statute is a great starting point for writing a city policy about cybersecurity.

Another resource that Martinez tapped into during the crisis was the League, where she got advice about engaging with a cybersecurity firm. The city hired a firm to conduct an independent review and write a report (fulfilling a requirement of the state statute). The firm managed a call center, so affected city employees could get clear answers about their social security numbers.

The city sent a letter to employees to tell them about the breach and inform them about credit monitoring and credit freezes. There were mixed reactions from employees.

“Part of the letter described how to keep your identity safe and other things you should do to protect your identity and credit account,” says Martinez. “We also held informational sessions to answer questions and assist employees through the process.”

This particular W-2 scam was not unique to Albert Lea last year. The Minnesota Department of Revenue posted a notice on its website warning employers about it.

Contact your insurer

Another important step Martinez took was to contact the League of Minnesota Cities Insurance Trust (LMCIT) right away. LMCIT Claims Manager Darin Richardson says it’s always a good idea to contact the Trust as soon as possible if you suspect a computer security breach.

“We can quickly assign claims staff, advise on our coverages that apply, and explain the claim process,” Richardson says. “From there, we will evaluate what resources to recommend.”

The League partners with Net Diligence, a resource that provides breach-prevention and consulting services. It offers LMCIT members one hour of free consulting to discuss a specific incident.

Contacting the League immediately helps secure a NetDiligence breach coach sooner. Among other things, the breach coach provides initial thoughts on whether an incident rises to the level of a breach, and makes recommendations on what to do next.

“Once the one free hour has been exhausted, the member has the option to continue to work with the breach coach to assist them throughout the rest of the data breach incident process,” Richardson says. “The expense is covered under our data security breach expenses coverage.”

Communicating about the breach

Whenever a data breach happens, chances are good your city will need to communicate with the public about it in some way. In Albert Lea, for example, a local newspaper reporter called about the phishing incident. Martinez answered the reporter’s questions carefully, providing only the information the city was certain of.

That was the right thing to do, according to Jennifer Hellman, chief operating officer with the public relations consulting firm of Goff Public.

“The important thing is to come out quickly with base level information about what happened and what you know at that time,” Hellman says. “Be transparent and tell people you’ll keep them informed with regular updates,” especially if the breach affects residents.

“Transparency isn’t telling every tiny detail, but people need to understand that you have plans in place to protect them,” Hellman adds.

She suggests that cities talk through how they’ll handle communications crises, like a computer breach, before anything happens. Identify red flags to watch for and what news should be shared publicly.

“Know when to elevate an internal computer security issue and who to bring it to inside the city so you can address things before the problem gets bigger,” Hellman says. “In the end, the most important thing is to maintain the trust of the residents and businesses in your city.”

Educate employees

LMC’s Van Wormer says what happened in Albert Lea and Bigfork can happen anywhere. He emphasizes the need to educate employees about phishing and computer security. The key is to create an environment where they feel safe to tell someone they did something wrong.

“There are so many times when somebody makes a mistake or they’re pretty sure they made a mistake, and they hide it,” says Van Wormer. “The problem with doing that is that malware and viruses can propagate quickly, and they’re opening the city to bigger risks.”

Renee McGivern is a freelance writer based in Woodbury, Minnesota.