Hackers used a malware attack to infiltrate Delaware County’s servers in the fall, and then held employees’ personal data for ransom, ultimately costing the county $25,000 in ransom to restore access to the data, according to county officials.
The attack was first reported Nov. 24, when county officials said the computer network had been compromised by a hack affecting everything but emergency dispatch and the then-ongoing certification of votes in the presidential election.
But in a presentation late Wednesday at county council’s meeting, chief information officer Frank Bilotta revealed the scope of the attack. Hackers — whom Bilotta did not identify — first infiltrated the network through a phishing email opened by a county employee in September.
Over the next few weeks, he said, the hackers used their access to the system to identify and steal sensitive data. On Nov. 23, they activated a form of ransomware that locked the county’s IT staff out of the network, and demanded money with the threat of releasing the stolen information.
The county contacted the company through which it holds cybersecurity insurance, as well as the FBI, and both began an investigation, Bilotta said. The investigation is ongoing, he said, and that limited the amount of detail the county could share. It was unclear whether the hack was a foreign or domestic threat.
Eventually, the county agreed to pay the hackers $25,000, which was covered by the deductible on its insurance policy. The county was then given a code that allowed it to have control of the system again, and a list of files that had been stolen by the hackers.
Council President Brian Zidek said at Wednesday’s meeting the decision to pay the ransom was not made lightly, but was ultimately necessary as the county neared the end of the year.
“We had to balance [making the payment] with the costs to the county if we didn’t pay the ransom, and those costs would’ve been high for manpower and womanpower and downtime for all of the departments,” he said. “It’s tough to measure the economic consequence to that, but I know it would’ve been a more profoundly disturbing incident if we hadn’t taken the actions we had taken.”
Councilmember Christine Reuther echoed those comments, saying that paying the ransom and restoring access to the system allowed the county to avoid missing a payroll cycle for its employees, and ensured that it could pay all of its vendors, who were struggling financially due to COVID-19 restrictions, on time.
“To put their cash flow at risk, to put payroll at risk, to put other things at risk, it really wasn’t an option and it was also a decision we didn’t make in a vacuum,” Reuther said.
In the coming weeks, county officials are working to upgrade the network’s security software, which they noted was inadequate, and better staff the county’s IT department.
Robert D’Ovidio, a professor of criminology and justice studies at Drexel University and a cybersecurity expert, said ransom payments such as the one made by the county are becoming more common as organized hackers increasingly target large organizations and businesses.
He said the $25,000 paid in this instance was “getting off cheap, especially for a government entity.”
“There is honor among thieves, so when you pay, they’re giving the decryption keys,” he said. “They’re living up to their end of the deal, because if they don’t, at the next attack, they’re not going to get the payday. The company is going to say, ‘You know what, it’s not worth the risk.’”