How Quincy hackers broke in; councilors talk missing $3.5 million

QUINCY – Officials say hackers were able to break into the city's computer network through a public-facing web application used by the police and fire departments in an attack that took down all 60 of the city's servers and included a demand for money for the safe return of Quincy data.

Chris Walker, chief of staff to Mayor Thomas Koch, this week told city councilors that almost all of the city's servers are back up and running after the "sophisticated" attack that touched every city department two weeks ago. He said hackers did manage to extract data from city servers, but that they didn't get their hands on anything that "wouldn't already be a public record." 

"This was a serious incident. The damage could have been severe, and the recovery could have been quite lengthy," Walker said. "But it wasn't, at least to our knowledge at this point."

The city did not permanently lose any data, he added, and no school department records were accessed. Employee information was also kept safe through encrypted software, and Walker said the city does not maintain banking or personal information of city residents. 

"Speaking anecdotally to some folks in other places and the experts, (losing data) was really probably the biggest threat of damage that we faced," Walker said. "The theft of data, the permits, licenses, financial records, those sorts of things that really could have made operating the city a little more difficult. Thankfully, our backup systems were intact and protected."

Walker said irregularities in the police department's system on Feb. 3 first alerted the city's technology department that something was wrong. When officials tried to restart the system, that's when they discovered the hack and several text files demanding money for the safe return of city data.

The city then reached out to security contractor Sophos – hired by Quincy in 2018 to beef up security following an email phishing scheme – which brought in "more than a dozen" engineers to tackle the hack, Walker said. The server on which the hack was initially discovered has still not been brought back online. 

"This attack is a little more sophisticated, a little tougher to deal with than the usual attacks we're accustomed to when we see email phishing scams," Walker told city councilors Monday. "Sophos and our IT team essentially went computer by computer, network by network, server by server scouring, scanning and cleaning any suspect material off of the network. That process is just about wrapped up. ... Knock on wood, we suffered no material damage." 

Hackers were able to break into the system through a web-based software used by the police and fire departments, officials said. When someone logged into the software from a city computer, hackers were able to work their way into the larger city system. 

Brian Glavin, director of information technology for the city, said two-factor authentication will now be required for anyone logging in. He added that it would be beneficial for the city to hire its own security expert within his department. 

No updates on missing $3.5 million stolen in email phishing scheme

News broke late last week that $3.5 million was stolen from the Quincy Retirement Board in an email phishing scheme last year. A Quincy investment manager received an email from a former employee's board email account, which included instructions for a $3.5 million wire transfer. The manager made the transfer in February 2021.

John Parsons, executive director of the state commission that oversees local retirement boards, said he believes the transaction was "the result of human error and a breakdown of security controls." The Quincy board is now under investigation by the state board of overseers, and the money is still missing.

Ward 2 City Councilor Anthony Andronico and Ward 3 City Councilor Ian Cain asked at the meeting this week what steps are being taken to recover the missing money.

Walker said that because the retirement board is a separately governed entity, he is not authorized to speak "in any great detail" on the hack other than to assure the public there is "no threat that retirees will not receive their pension payments."

"These are two separate and distinct issues," he said of the city hack and the retirement board theft. "One is not at all related to the other. I know obviously the news broke on these things at roughly the same time, but I want to make that abundantly clear."

The Quincy Retirement Board said it did not learn of the fraudulent transfer until months after it was made and, in October 2021, it was reported to the state. Walker said he found out about the theft last fall. 

Neither the email hack nor the transfer was reported to the public or the city council. 

City Councilor-at-Large Nina Liang asked, "Why weren't we told about this?" 

"I am not the authority on this. I am not the governing body on this," Walker said. "That communication has to come directly from the retirement board." 

He referred any other questions to the retirement board, which has referred all questions to lawyer Michael Sacco. 

Sacco said in a statement that the "board is fully cooperating with the ongoing civil and criminal investigations into this matter. The board has implemented additional security measures to protect the retirement system’s assets and to detect and thwart any future cyber theft attempt.  While the investigation is ongoing, the board will not have any further comment on the matter."

Original Source: https://www.patriotledger.com/story/news/2022/02/16/quincys-ransomware-hack-missing-millions-email-phishing-retirement-board/6788733001/

Previous
Previous

Quincy’s First Recreational Dispensary Coming to Fore River Rotary

Next
Next

Councillors Seek Funding For Social Justice Department, Downtown Update