WESTWOOD, N.J.—A Police Department server was hit in a ransomware attack in December 2018 that prompted a temporary shutdown while backup systems took over, though the attempt to leverage police files for money was unsuccessful.
That’s according to Mayor John Birkner Jr. on June 27, expanding on a “Notice of Data Privacy Incident” posted on the borough’s homepage on Monday, June 24 that advises residents keep an eye on their credit reports.
The borough says there is “no evidence of any attempted or actual misuse” of information. Data in Westwood’s systems can include names, Social Security numbers, driver’s license and state identification numbers, and financial account and credit/debit card information.
Police Chief Michael Pontillo told Pascack Press on June 27 that “At the end of the day it was a nothing burger: pretty much a hiccup and an annoyance.”
He said “foreign actors” proved they had swept police desktop files but that no dispatch or deeper criminal justice databases were involved. He added that the attackers threatened to expose the data and directed the department to an email address where officials were to receive instructions to pay money.
“We have backup systems in place that protect our information so that we’re not shut down by a ransomware attack. The system worked and we didn’t have to pay a ransom. We never got there,” Pontillo said.
He added, “What they ended up getting was a lot of daily documents created in-house—files off desktops.”
Crime was reported to FBI
After “unusual activity” was detected Dec. 22, 2018 the borough began a forensic investigation and reported the incident to the Federal Bureau of Investigation (FBI), the New Jersey State Police, and the Bergen County Prosecutor’s Office.
Birkner told Pascack Press that “Our police department was able to thwart the effort … There was no disruption in service and no data was lost.”
He emphasized that taxpayer and employee information was held on an unaffected server.
He added that measures were taken in the aftermath to educate town workers on “commonsense things” like not clicking email links that don’t seem like they’re legitimate.
“We have very strong firewalls in place and are keeping a diligent watch on activity. … This kind of thing is more and more common in communities throughout the country but certainly in New Jersey,” Birkner said.
He added the borough was working with its insurer “to combat the frequency of these issues and to make sure we have safety measures in place.”
Asked why it took six months to make the breach known, with related warnings, Birkner said, “This was due to the investigation and sensitive nature of the incident. We have met our [state] notification requirements.”
He added, “We were fortunate, but there are a lot of other towns that are not as fortunate.”
Indeed, a month after Westwood was attacked, Elmwood Park and Fair Lawn were targeted in cyberattacks that altogether evidently were part of a rash of such crimes against municipalities in the United States and Canada.
Two Iranian cybercriminals attacked the City of Newark’s computer systems in April 2018. In November, just after a six-count indictment was announced, reports said the pair used a sophisticated ransomware program called SamSam to remotely lock Newark’s files and demand a ransom payment—some $30,000 in Bitcoin—as part of a scheme that extorted $6 million from 200 victims nationwide.
They remain at large, and there is no evidence that the Iranian government was behind their alleged scheme.
“They deliberately engaged in an extreme form of 21st century digital blackmail—attacking and extorting vulnerable victims like hospitals and schools, victims they knew would be willing and able to pay,” Assistant Attorney General Brian Benczkowski of the Criminal Division of the Department of Justice is reported saying at the time.
“They’re trying to impact our way of life. They’re hitting the most critical targets because they want to maximize their targets, but they’re also trying to maximize the damage that they can do,” said U.S. Attorney for New Jersey Craig Carpenito.
The FBI says ransomware is the fastest growing malware threat, targeting users of all types—from the home user to the corporate network. On average, more than 4,000 ransomware attacks have occurred daily since Jan. 1, 2016. This is a 300% increase over the approximately 1,000 attacks per day seen in 2015.
It adds that ransomware may direct a user to click on a link to pay a ransom; however, the link may be malicious and could lead to additional malware infections.
Some ransomware variants display intimidating messages such as “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine” and “You have 96 hours to submit the payment. If you do not send money in time all your files will be permanently encrypted and no one will be able to recover them.”
Notice on borough’s homepage
On Monday, June 24, Westwood duly made its breach known as a public notice under its website “public notices” sidebar—above a measles update and a notice on child lead screening.
It said the investigation had not revealed evidence suggesting any information was viewed, accessed, or obtained by the unauthorized actor.
The notice says that “On or around Dec. 22, 2018, Westwood became aware of unusual activity on the Westwood network. Westwood immediately launched an investigation into the activity, which included working with a leading third-party forensic investigation firm, to determine the nature of the activity. The investigation confirmed that malware was introduced on the network on Dec. 22, 2018.”
Based on the available evidence, the forensic investigation “was unable to determine what, if any, information on the relevant Westwood systems may have been accessed,” according to the notice.
The borough adds, “Therefore, in an abundance of caution, Westwood is taking to steps to provide notice of this incident.”
Residents can protect themselves
The notice also provides “a dedicated line for individuals seeking additional information regarding this incident.”
That number connects to a third party, Epiq, in Oregon that says it is “a worldwide provider of legal services, serving law firms, corporations, financial institutions and government agencies—helping them streamline the administration of business operations, class action and mass tort, court reporting, eDiscovery, regulatory, compliance, restructuring, and bankruptcy matters.”
In the wake of the discovery, the borough says, it “began taking necessary measures to contain the incident and secure the network. Westwood also worked with third-party forensics investigators to determine the full scope of the incident.”
Westwood says that it encourages “potentially affected individuals to remain vigilant against incidents of identity theft or fraud, to review account statements, and to monitor credit reports for suspicious activity.”
It says adults can obtain one free credit report annually from each of the three major credit reporting bureaus by visiting annualcreditreport.com or calling, toll-free, 1-877-322-8228.
For a credit report contact:
- Equifax, P.O. Box 105069, Atlanta, GA, 30348, 1-800-685-1111, equifax.com;
- Experian, P.O. Box 2002, Allen, TX 75013, 888-397-3742, experian.com;
- TransUnion, P.O. Box 2000, Chester, PA 19016, 1-800-680-7289, transunion.com.
For information on identity theft, fraud alerts, and security freezes, contact the credit bureaus, the Federal Trade Commission, or the state Attorney General.
You can contact the FTC at 600 Pennsylvania Ave., NW, Washington, DC 20580; identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY 1-866-653-4261.
For more information, visit westwoodnj.gov.
This story updates the initial web-only version of our breaking news.