Audit: Baltimore Data Losses Due to Insufficient Backups

A recently released report states that information was lost after only being saved on local servers. The lack of available data hampered the ongoing recovery efforts and raised questions about protocols.

A recent audit of Baltimore's IT department found that the agency lost important data during this year's ransomware attack due to poor storage practices. 

Staff for the Baltimore City Information and Technology department (BCIT) routinely saved data on their local servers instead of backing it up on an external cloud system, according to a newly released audit. When the attack hit, some of that data was compromised by the malware. 

As a result, data that was supposed to aid in the analysis of four performance measures — metrics meant to determine if the agency was meeting its goals in an efficient and cost-effective manner — could not be accounted for throughout the 2017-18 fiscal years, according to the report.  

The news was broken to lawmakers during a city council audit committee meeting last week

"The BCIT was not able to provide documentation to support actual amounts of the four selected performance measures reported in the Budget Books," the report, filed by auditor Josh Pasch, reads. "Due to the lack of data backup, the supporting data for the four selected measures were unavailable."  

"One of the things I've learned in my short time here is a great number of Baltimore city employees store entity information on their local computers. And that's it," Pasch reportedly told councilors at the meeting. 

Eric Costello, city councilor for the city's 11th district and head of that committee, said in an interview with Government Technology that these practices were problematic.     

"It's a problem on multiple levels, least of which is that this is the agency that is supposed to be educating other agencies on how to effectively manage IT resources," Costello said. "One of two things happened: either they weren't following [existing] protocol or the protocol didn't exist — both of which are unacceptable."  

The BCIT's performance during and after the ransomware attack has been roundly criticized. The city's IT director Frank Johnson, who bore the brunt of that criticism, recently took leave without pay, leaving the ongoing recovery efforts in the hands of his deputy, Todd A. Carter

Those recovery efforts, which have been ongoing since May, are nearing completion, officials say. 

"I think we're in the final phases of the recovery process. Atlanta, a year later they were still recovering," said James Bentley, communications officer for the Mayor's Office, comparing the city's attack to the one that struck the Georgia state capital last year.

Though the Baltimore audit cited failures in the data backups, the city is far from alone when it comes to less than ideal storage practices. In many cases, resource limitations and a lack of personnel training are behind these kinds of oversights.  

Nick Psaki, federal CTO at Pure Storage, said that while he couldn't speak to the frequency of this kind of misstep in governments, he did stress the importance of backing up data in a secure way — especially at ta time when ransomware seems to be the cyberattack of choice. 

"Most of the folks I talk to do indeed back up their data," he said. "Clearly there's a huge appetite for improved and modernized data backup and recovery because we're seeing a huge growth in that space and a lot of new companies have moved into that space in the past few years."

The heightened threat landscape has also diminished the delusion that cyberattacks are some abstract and faraway problem, he added.  

"Until this year, there's been the belief that it couldn't happen to us," he said. "The reality has reared its ugly head and dispelled that myth. Hope is not a method. You have to test this stuff and you have to test it from end to end, and do it rigorously." 

Lucas Ropek is a former staff writer for Government Technology.