Officials in Mecklenburg County, N.C., where hackers in December froze data, declined to pay a ransom and plan to move aggressively to strengthen security.
Public and internal online services in Mecklenburg County, N.C., where hackers last month penetrated defenses and froze key data, are nearly completely restored but the incident has changed the county’s security posture and strategy, its county manager told commissioners this week.
Mecklenburg County temporarily shuttered all online systems as a precaution, but has already relaunched core, critical Tier One services and should restart any remaining Tier Two internal-facing applications by week’s end, County Manager Dena Diorio told the Board of County Commissioners at its Jan. 3 meeting.
Those public-facing areas include online tax payments and access to code enforcement, human resources; and the departments of social services, and parks and recreation, she said, emphasizing that while “tremendous progress” has been made, “much work” remains.
In an email, Assistant County Manager Mark Foster said Information Technology Services (ITS) staff have “worked around the clock for the past few weeks to restore applications and systems,” utilizing backups and other sources.
But the Dec. 5 hack, believed to have been perpetrated by criminals from Iran or the Ukraine who froze data with a new strain of ransomware known as LockCrypt, then demanded a ransom payment of two Bitcoin, has further galvanized the county’s top tech officials and its dedicated IT staff of 151 employees.
The county, which serves more than 1 million residents and includes Charlotte, the state’s most populous city, must further enhance its cybersecurity position and tactics, Diorio told the commission.
“We must strengthen our security systems to stop the ability of hackers to successfully attack us again. I am determined that Mecklenburg County will lead the way with a new normal security posture,” Diorio told the commission, indicating staff has already taken “concrete steps” to make networks more secure and will “redouble” threat education and training for employees.
Members were generally receptive and complimentary — praising the manager for her decision, announced Dec. 6, to not pay the ransom, which would have cost more than $23,000 at the time.
The financial impact and ongoing cost of the breach, which affected 48 of the county’s 500 servers, are unclear, but the manager told commissioners that staff is updating and moving up elements of its security plan on a two-year timeline.
“IT services is developing a revised comprehensive security plan that will accelerate components of their three-year strategic business plan in Fiscal Year 2018. Implementation of these projects will continue into FY 2019 and beyond,” Diorio said, adding that she intends to bring the plan and recommendations to the commission “over the coming weeks.”
Diorio did not mention specific details about ITS’ “new normal” posture or the revised security plan. She noted, when she answered a request from Commissioner Trevor Fuller for “a little more granular” examination of the incident, that such an up-close look would likely come during the closed session portion of a future meeting.
Charlotte-based forensic company Fortalice Solutions is assisting onsite with forensic analysis and will provide the agency with a report, the county manager told commissioners. Foster said via email that the county has also worked throughout its recovery with legal team Mullen Coughlin LLC, and cyber technical consulting firm Kivu Consulting Inc.
Commissioners praised the work of Diorio and IT staffers and commended the manager for standing up to the hackers.
“The community sees it, that you guys are working overtime to get systems back up and get servers back up. A lot of organizations buckle and say, ‘We’ll just go ahead and pay.’ I just want to commend you for that decision. I know it was a tough one to make,” said Commissioner Matthew Ridenhour, who pronounced himself “excited” to hear about the IT team’s progress and “some of the things we plan to accelerate to keep Mecklenburg County up and running and data-secure.”