If you haven’t heard lately, when it comes to getting phished, municipalities and local governments aren’t doing too well. And it’s costing them a lot of money.
According to a recent article on SC Magazine website, four different municipalities were hit with ransomware attacks during the week of April 15, 2019. The article said, “Augusta, Maine; Imperial County, Calif.; Stuart, Fla.; and Greenville, N.C. were all in different stages of recovering from ransomware attacks over the last seven days.”
In the case of Augusta, Maine, the article mentioned that, “The attack has affected the police dispatch system, the municipal financial systems, billing, automobile excise tax records, assessor’s records and general assistance.” It doesn’t get much worse than that.
The article further stated that, “The city said the malware gained entry into its network in an unknown fashion.” Malware doesn’t just show up. It has very specific delivery mechanisms and it almost always involve email (i.e., phishing).
Just in case you think municipalities getting phished isn’t a gigantic problem, “Officials in Jackson County, Georgia, paid $400,000 to cyber-criminals to get rid of a ransomware infection and regain access to their IT systems,” according to awareness training company KnowBe4.
To put that in perspective, you can protect an organization of 100 employees with advanced cloud-based phishing protection for less than 50 bucks a month. That means Jackson County, GA could pay for 470 years of phishing protection for the amount of ransomware they paid. Talk about an ounce of prevention.
It’s not just counties though. Cities, government agencies and school districts are getting stung too. The city of Chicago lost more than $1 million in a phishing scam according the CBS Chicago. The news outlet stated, “The City of Chicago’s Department of Aviation thought it was paying an approved vendor more than $1 million for services earlier this year.” When asked about the breach, security expert Paul Peterfish said, “It’s certainly easier than robbing a bank.”
The Oregon Department of Human Services, got hit by a phishing scam. The compromise resulted in a data breach that exposed in excess of 1.5 million records of state residents, including sensitive information protected under HIPAA like social security numbers and birth dates.
“According to a March 21 Oregon DHS press release, the incident took place last Jan. 8, when nine separate agency employees opened a spear phishing email and clicked on a link that compromised their email mailboxes and the two million emails within.”
Scott County School District in Georgetown, KY was a victim of $3.7 million CEO fraud according to KnowBe4. The article stated, “The FBI is now investigating after Superintendent Dr. Kevin Hub said an undisclosed vendor told the district it never was paid for an invoice from two weeks ago. As the district investigated, it learned it fell victim to a fraudulent email disguising as the vendor. The school lost $3.7 million as a result of the scam.”
How many months of phishing prevention would that pay for?
Why aren’t municipalities onboard with phishing prevention technology? It’s easy to deploy, incredibly affordable and more importantly, it works. Why do they have to learn this the hard way and pay huge ransoms? If I were a taxpayer in one of these jurisdictions, I’d sure want to know why.