[BreachExchange] Cyber attack costs Woodstock more than $660K: Report

Destry Winant destry at riskbasedsecurity.com
Tue Dec 10 10:03:04 EST 2019


The numbers are in, and Woodstock’s September cyber attack is set to
cost the city more than $667,000, even though the city didn’t pay, and
never reached out, to the hackers behind the ransomware.

It seems like a big number – roughly nine times what nearby Stratford
paid as a ransom after a spring cyber attack – but experts say it’s a
short-term hit for a long-term gain in cyber security.

While difficult to compare the Woodstock and Stratford attacks – no
two cities conduct cyber security the same way – Woodstock’s costs are
in line with what residents should expect, one cyber-sector expert

“This is unfortunately very much in line with the losses we have seen
other cities incur,” said Carmi Levy, a London-based tech analyst. “It
is safe to say, as egregious as (almost) $700,000 might seem …
Woodstock has dodged quite the bullet here.”

Aided by a solid backup system for its data and outside support, the
city opted to fight the attack rather than contact the hackers and pay
a ransom. With no guarantees the hackers would provide the needed
passwords to unlock the city’s data, it was likely the wiser course,
Levy said.

“The fact that Woodstock can get away with a high six-figure bill and
then draw a line and call it done is actually the best of a bad
situation,” Levy said. “While, from a strictly dollar perspective,
Woodstock residents might wince … that (money) did not go into
criminal pockets. It went into building greater IT security and, in
that respect, is not a one-time cost as it is an investment.”

On paper, it can seem like paying a ransom is the cheaper option, but
that’s a “dangerous” assumption, Levy said. Choosing not to engage
with cyber criminals is much like not negotiating with terrorists,
sending a clear message that Woodstock is not an easy target, Levy

“The very fact that a ransom is paid immediately vaults that city to
the top of the potential future-victims’ list,” he said. “It is hard
to quantify what that vulnerability is, or will ultimately cost.

“Woodstock has learned a lesson, albeit an expensive one, and in the
process it has built competencies that will protect the city more
effectively in (the future).”

According to the Woodstock staff report, the cost to date to dig the
city out from the three-week cyber attack included more than $550,000
on outside experts and tens of thousands of dollars in staff overtime,
as the city essentially rebuilt its computer networks from scratch.

The city contracted cyber-security firm Deloitte for outside expertise
in incident management, forensics and IT support during the attack.
The service came with a total bill of $563,656.

The city’s decision not to negotiate with the hackers was made in
consultation with its experts, Patrice Hilderley, Woodstock’s
administrative director, said. The cost to rebuild the city’s networks
after the attack would have been necessary regardless, she said.

According to the Woodstock report, staff in IT and finance racked up
880 hours in overtime from the attack’s Sept. 20 onset to Nov. 30,
almost six weeks after the city had regained some functionality.

That amounts to $54,808 in overtime costs. Hilderley declined to
comment on how many staff were in that group.

More information about the BreachExchange mailing list