Stolen Chatham County government files posted online following an Oct. 28 ransomware attack contain personal information — including data such as Social Security and bank account numbers — of local residents, in addition to current and former county employees.
A review of some of the more than 14,000 documents — posted by international cyber criminal group, DoppelPaymer — by the News + Record and by a cybersecurity expert who helped provide access to them also reveals other disturbing and sensitive information: statements provided by Chatham County children who were victims of sexual abuse, performance evaluations and healthcare documents of current and former county employees and folders of files from criminal investigations labeled “closed” and “open.”
And as County Manager Dan LaMontagne prepares to deliver his report on the incident to Chatham County commissioners at the board’s meeting Monday, those affected are questioning how long county officials knew that private information was already posted.
One Chatham County employee, who spoke on the condition of anonymity, said they and others “have been kept totally in the dark.”
“County employees were not notified before the article came out,” the employee said, referring to the News + Record’s story, posted last Tuesday, which first detailed that sensitive information had been released online. “We all got an email later that day saying, ‘by now you’ve probably seen the article…’” in the newspaper.
The employee indicated they and co-workers were upset at the delay in making them aware that their personal data may have been compromised.
Chatham County has been working with state officials, including those from the Attorney General’s Office, on those notifications of employees and others, according to statements from LaMontagne. But cybersecurity experts warn that stolen data files containing personal information are sometimes sold to criminal entities which, in cases of failed ransomware, use them to apply for credit cards and run up thousands of dollars of unauthorized purchases. Making those affected aware of the theft as soon as possible, one cybersecurity specialist who reviewed the contents of some of the stolen files said, is paramount.
“It makes me mad,” said the expert, who was granted anonymity by the News + Record. “Imagine knowing that your most personal info had been posted online and could pop up anywhere at any time. If your Social Security number leaks, you can fix your credit — eventually — but there’s nothing you can do in cases like this. Once that info is out there, it’s out there.”
County officials have declined so far to answer questions about a notification timeline and services being offered to affected individuals. LaMontagne sent an email message to county staff regarding the stolen data and the news story after the story was published, according to a county employee who provided the email message to the newspaper. That message contained some of the same language used in an earlier statement provided to the News + Record about the posting of the stolen files.
In the email, LaMontagne said the county was reviewing files on the impacted server to collect the names and addresses of people whose “protected health information” or “personally identifiable information” may be at risk of exposure. He said those individuals would be notified of the situation but didn’t provide other specifics about timing.
“We are concerned about any sensitive files that may have been accessed and published, and we are working diligently to address the situation while continuing our recovery efforts,” the email said, adding that county staff has worked with state-level officials to meet notification/reporting requirements of such a breach.
“We will continue to engage in these conversations with our breach counsel, NCDHHS and the AG to ensure we respond in the most appropriate manner possible as it relates to the data accessed from our network during the ransomware incident,” the email said. “In the meantime, individuals who are concerned about their personal information being accessed may utilize a free security freeze, provided by the NC Department of Justice (NCDOJ).”
(More information can be found at: https://ncdoj.gov/protecting-consumers/protecting-your-identity/free-security-freeze.)
State law requires businesses affected by “a security breach” to notify any “affected person” of the breach “without unreasonable delay, consistent with the legitimate needs of law enforcement … and consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.” But the same law says the definition of business “shall not include any government or governmental subdivision or agency.”
In response to questions posed via email to LaMontagne on Friday about the timing of the county becoming aware of the public posting of personal data, Chatham County Public Information Officer Kara Dudley replied with a statement she attributed to LaMontagne:
“Chatham County is concerned about any sensitive files that were posted online as a result of the cyber incident on October 28, 2020, and we are working diligently to address the situation as well as continue our recovery efforts.”
Dudley’s response also repeated a portion of LaMontagne’s message to county staff, citing the county’s work with the N.C. Dept. of Health and Human Services and the N.C. Attorney General’s Office.
“The extent of the breach does not surprise me at all,” said David Delaney, former senior cybersecurity attorney for the U.S. Dept. of Homeland Security who now lives in Chatham. “Ransomware is an increasingly common attack not just against government entities like Chatham County but also in the private sector.”
It was on Oct. 28 that an international group of cyber criminals known as DoppelPaymer gained access to Chatham County’s government network with a phishing email. The attack — which was later revealed to be ransomware — “resulted in the encryption of much of our County network infrastructure and associated business systems,” according to a written report on the breach by LaMontagne included in the agenda packet for Monday’s Chatham County Board of Commissioners meeting.
Ransomware is the deployment of malicious software — often through an email attachment opened by an unsuspecting recipient — to infect and lock computer networks or files until a ransom is paid. Upon payment, the victimized entity typically receives a decryption key to unlock its data.
In the report, LaMontagne writes: “Ultimately, Chatham County took advice from all resources and proceeded with full system recovery” — which involved wiping the hard drives of more than 500 county-owner computers — “rather than paying the ransom demanded by the ransomware threat actors.”
The amount of the ransom demand hasn’t been made public.
Brett Callow, a threat analyst at Emsisoft — a company which creates software to protect clients from malicious websites and malware — told the News + Record that there are no reporting requirements about ransomware attacks. He estimated that between a quarter and a third of government entities and businesses subject to such attacks ultimately pay a ransom. He also estimated that fewer than 1% of ransomware cases are ever prosecuted.
On Nov. 4, a week after the breach and with the ransom not paid, DoppelPaymer released a selection of mostly innocuous county files on the “dark web” — encrypted online sites not found via conventional search engines — and the “clear web” via select key search criteria.
Almost three months later, though, toward the end of January, DoppelPaymer demonstrated the extent of its acquisition — this time posting several hundred folders of files of compromising data on its site. The actual number of documents posted numbers well into the thousands and takes up more than six gigabytes of hard drive space.
A cyber expert who perused the data said in response to the review, “This is … terrible. It’s as bad as I’ve ever seen.”
The January files uploaded are those including personnel information of residents, employees and former employees, and details about performance evaluations and reports from child neglect and abuse cases.
Cyber crime experts suspect that DoppelPaymer is operated in Russia, headed by 33-year-old Russian national Maksim Yakubets. The Ukrainian-born hacker employs dozens of cyber criminals who target governments and companies around the world, potentially working on behalf of the Russian government, according to Newsweek and NPR reports.
“This kind of crime is something that very much looks like (what) these criminal actors do throughout the world,” Delaney said.
At Monday’s commissioner board meeting, which begins at 6 p.m. at the Chatham County Agriculture & Conference Center in Pittsboro, LaMontagne plans to address the issues surrounding the data breach in his first public remarks about it. Two documents — a report and a “cyber incident summary” — were included with the agenda packet provided to commissioners and posted on the county’s website on Friday.
In that report, LaMontagne said that “Chatham County MIS staff acted swiftly to isolate affected systems by stopping communication across our network and externally.”
“MIS also enlisted assistance from state and local agencies with experience handling ransomware incidents,” he said. “Enlisting the assistance of these valuable resources helped our MIS staff quickly understand how to respond to the incident and most effectively mitigate any impact to our network.
“We are evaluating and implementing additional security measures and reinforcing employee training,” the report concludes. “The threat from outside individuals is constant and Chatham County aims to take all reasonable actions to secure their data and infrastructure.”
It is not yet clear whether LaMontagne will answer additional questions regarding the timeline of the breach, notification plans and the ransom amount when he presents the report to the board.
So far, Chatham County commissioners have not commented publicly about the breach. The News + Record reached out to each of the board’s five members by email on Saturday morning with additional questions — including when commissioners were made aware of the sensitive files being posted online and questions about informing residents and employees about the nature of the files posted — but as of Sunday evening, none had responded.