[BreachExchange] Bainbridge park district hit by cyber attack

Destry Winant destry at riskbasedsecurity.com
Tue Mar 17 10:24:41 EDT 2020


https://www.bainbridgereview.com/news/bainbridge-park-district-hit-by-cyber-attack/

Databases that contained the employee and financial records for the
Bainbridge Island Metropolitan Park & Recreation District were
destroyed by an internet hacker in late February, and the extensive
cyber attack has left district officials writing hand-written checks
to workers and vendors.

Parks executive director Terry Lande said the hacking was discovered
when employees came to work Monday, Feb. 24 and they couldn’t connect
to the district’s servers.

Three of the district’s servers — two at the parks headquarters at
Strawberry Park and one at the Bainbridge Island Aquatics Center —
were compromised.

The initial assessment was that park district data did not appeared to
be downloaded by the hacker.

Instead, someone accessed the district’s databases and deleted files.
Park employees soon learned that included all of the district’s
financial data.

Lande said the cyber intrusion was discovered two Mondays ago when a
parks employee had trouble launching server-stored programs and had
trouble connecting to the internet.

But then it got worse: the bookshelves in the district’s electronic
software library were empty. Payroll. Personnel. Vendors. Aisle after
aisle.

“We were missing a whole bunch of stuff,” Lande said, including
software for paying bills and doing payroll. Also gone was the
software that allows the county to transfer tax funding to the
district.

What wasn’t hit was any information from the public. Registrations for
programs, account information from customers and similar data is
actually maintained by outside contractors and is not stored in the
park district’s databases, officials said.

“All public data was secure and safe,” said Mark Benishek, recreation
division director for the parks district.

The park district’s website was also not impacted, as it is also
maintained by an outside contractor.

The attack has been reported to local, state and federal authorities.

The park district’s insurance has turned to forensic scientists, and
attorneys, to find out if any information from the park system was
downloaded.

“We don’t know if they downloaded anything,” Landes said.

At a special meeting late last week, park commissioners adopted a
resolution to increase the fund limit of its imprest fund — which is
used to pay expenses that require a check — from $30,000 to $80,000 so
payments could still be made while the district’s accounts payable
system is offline.

The district’s multiple backup efforts may save the day, though.

Landes said there were multiple places where the district has stored
copies of its digital records.

Since the attack, the initial work has centered on retrieving the
great bulk of data that can be pulled off the cloud.

“We may be able to recapture everything we lost,” Lande said.

Given the time it is taking to download data back into the system from
the cloud — which has already consumed the better part of a week and
will likely take three weeks to finish — Lande said it appeared the
hacker would have also faced a similar hurdle in downloading
information.

“They only had about 30 hours,” he said.

“If they would have downloaded stuff it would have take a week just
for the aquatics [server],” Lande said.

The district did not get a “ransom note” asking for money to restore
the information that was taken, he said. That made the attack seem
purely malicious in nature.

“It appears this was a search-and-destroy mission,” Lande said.

Benishek said the investigation launched by the district’s insurer
will likely determine if any park district data was downloaded.

The three servers that were hit have been packed up and sent to
investigators, he said.

Lande said the cyber attack was the first ever for the park district.

The discovery of the damage was demoralizing, he added.

“Your heart drops,” he said.

“It’s a rather strange experience,” Lande added. “It’s very offensive.
The whole agency has been violated.

“Your stomach rolls over on you. Then anger. Frustration. All those
things. Then you find out there’s a certain amount of guilt involved;
‘What could we have done to prevent it?’”

The biggest question is the motivation of the attacker. “Why?”

“Why do people behave that way? I don’t have answers for that,” Lande said.


More information about the BreachExchange mailing list