[BreachExchange] Joplin ransomware attack exposed some customer information

Mon Jan 31 09:57:21 EST 2022

https://www.joplinglobe.com/joplin-ransomware-attack-exposed-some-customer-information/article_8c07ee88-8086-11ec-9876-6b5f8a64e548.html

Personal and banking information about some city utility customers was
accessible to cyber security terrorists who hacked Joplin city government
computer and telephones in July.

Those customers affected are now being notified by letter that city
officials have recently learned their information was compromised,
according to a city statement issued Friday.

The system intrusion that occurred sometime between July 2 and July 6 last
year encrypted the city’s data and records, blocked access to information
stored in the system, and temporarily disabled the city’s phone system.

An insurer for the city paid a ransom demand of $320,000 intended to
prevent the release of any personal information the hackers obtained from
the system.

City officials had said after the incident was discovered that information
about those who have city sewer and trash services was not endangered. They
said at the time that it was confirmed that the third-party service that
processes utility payments was not part of the cyber security attack and
that the city did not store payment information in the city’s network.

On Friday, the statement reported that information stored in city computers
with the names and banking information of Joplin and Duquesne customers who
paid by check between 2013 and 2021 was compromised, although that does not
include people who used the third-party service to pay online or paid by
cash.

Asked in an email for an explanation about the contradictory information
regarding the possible compromise of customer information, the city
responded:

“After Joplin provided the initial statement on July 7, we continued our
investigation into the information that may have been involved in the
incident, a process which took time to complete. While the third-party
service that residents can use to make utility payments was not involved,
we did determine that information regarding the sewer bill payments made
via check was stored in our network and may have been involved in this
incident. We do not store other resident utility payment information.”

The city recommends that residents review their account statements and free
credit reports for any unauthorized activity. If any questionable
transactions occurred or take place in the future, the resident should
report such activity to their police or sheriff’s department.

In the course of the investigation of the cyber security breach, it also
was determined that files involving the employee health plan were accessed
by the system intruder or intruders.

Those files were reviewed and letters were sent to those individuals Sept.
8, 2021.Those files contained Social Security numbers and health insurance
information about those covered by city health insurance from 2015 to 2020.

As a result, the city provided identity monitoring services for those
people at no cost for a year so that they will have credit monitoring,
fraud consultation and identity theft restoration.

Asked why those services were not provided to utility customers, the city
replied through its public information officer, Lynn Onstot, that:

“The credit monitoring product is designed to let you know when someone is
opening a new credit account or filing a false tax return using your
information, which can occur with a Social Security number or driver’s
license number. We are providing those complimentary services to all health
plan enrollees. However, this product does not alert you if or when
fraudulent activity is made on a bank account. As a best practice,
individuals (utility customers) should monitor their accounts for any
suspicious activity and report it to their bank or financial institution.”

City officials have since put in place a $194,000 contract with a Kansas
City cybersecurity firm to provide more protection for the city’s computer
system and online functions.

City officials have opened a dedicated call center to answer questions
regarding the compromised information. That center can be reached from 8
a.m. to 5:30 p.m. central standard time on weekdays at 1-855-651-2613.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220131/9d7ecab2/attachment.html>