WNYT reports:
The city of Gloversville’s computer system was hit by a ransomware attack, which compromised the personal information of employees past and present.
The attack was discovered by the finance commissioner back in March, the city announced on Saturday. There was a ransomware note on the server. Gloversville reported the attack to the FBI. State Police and the Department of Homeland Security’s Incident Response Team.
The attackers, who are believed to be from Eastern Europe, stole employees’ personal information, including all payroll records and account numbers, according to the city.
The city hired consultants to negotiate the ransomware demand, which was $300,000.
The City Council approved paying $150,000 in exchange for the return of the stolen data.
The FBI is working to track down the suspects and possibly recover the ransom money, according to city officials.
DataBreaches is reproducing the city’s notice below because it is has some statements that raise questions. Specifically:
- They write, “Since this was an active criminal investigation, it remained confidential, on a need-to-know basis, per the recommendation of State and Federal law enforcement agencies assisting the city. (FBI, Dept of Homeland Security, US Secret Service, NYS Police).” A “recommendation” is not the same as law enforcement obtaining a court order or certifying in writing that an entity is not to disclose an incident. Did they have an actual court order or certification to justify delaying notification?
- They paid the attackers to get a decryptor, and presumably, to get data deleted. Did they have any usable backup stored safely prior to the incident, and if not, why not?
It seems another entity has again rewarded threat actors by paying their ransom demands. That’s a shame.
