And while City Manager Joe Lopez told The Bee this week that there is no active threat, a ransomware group called snatch has posted on its website that it has Modesto's data.
A threat analyst with the cybersecurity firm Emsisoft reported the development Monday on Twitter.
Speaking in general terms, the analyst, Brett Callow, said in an interview with The Bee that ransomware groups try to extort payments from their targets by threatening to release the data unless they are paid.
But he said targets that pay have no guarantee the ransomware groups won't keep the data and try to extort another payment. He said ransomware groups also can demand payment to unlock the computer network they have hobbled.
When asked Monday whether the hackers have demanded a ransom, Lopez said, "I'm not at the point of divulging that."
When asked later the same day about the ransomware group snatch having Modesto's data, city spokesman Andrew Gonzales referred to the city's March 2 statement, in which it acknowledged the Police Department had been hit by ransomware, and said the city would have no additional comment at this time.
Callow said the snatch ransomware group formed in 2018. He said ransomware attackers collect data from a computer network they have breached and then deploy the malware that locks up the network.
"That's when the organization knows it has a problem," he said.
The city has said the department's network was compromised by a ransomware attack Feb. 3. But in a letter sent in early March to people whose personal information may have been accessed, the city said:
"On February 3, 2023, the City experienced a cybersecurity incident that affected some of its computer systems. Upon discovering the incident, we promptly took action ... . During the course of the investigation, the City learned that some data was accessed during the incident between January 31, 2023, and February 3, 2023."
The letter went out under the signature of Lopez.
When asked about the discrepancy in the dates in a Monday interview with Bee editors, Lopez said, "The investigation is still ongoing. We will make public statements in the future. I don't feel comfortable sharing this information without consulting my legal team."
The letter included the city's offer of one year of free credit monitoring services.
Callow said there are two primary ways that bad actors gain access to a network, through a type of email called phishing and through servers connected to the internet without adequate security. A phishing email can have a link with malware software in it. The malware is activated when someone clicks on the link.
Callow, again speaking in general terms, said hackers have released all kinds of sensitive information on the internet, including the names of law enforcement informants, investigations into child abuse allegations and personnel evaluations.
He said organizations have a history of not being transparent regarding cyberattacks. "There is no benefit to keeping these matters quiet," he said. "People's personal data may have been compromised."
Callow said he understands organizations cannot reveal everything because some details could be sensitive and related to the ongoing investigations, but they "should make disclosures faster and more descriptive so people have an indication of what happened and may yet happen."
MPD employees affected
Lopez said Monday that the personal data that may have been accessed was limited mainly to city employees and almost entirely limited to Police Department employees. He said a small number of people who don't work for the city may have been affected, too. He could not say how many people may have had their data accessed but said there are no reports of personal information being misused.
The cyberattack hobbled the Police Department's IT network. For instance, the laptops in patrol vehicles — called mobile data computers — did not work. That meant officers could not use them to check whether someone's criminal history or whether he had any warrants. Officers also had to write reports and traffic tickets by hand.
But Lopez repeated what the city has said previously — that the cyberattack never put the public at risk or disrupted the city's ability to provide services, including responding to 911 calls. He said residents still were able to securely pay bills online. The city has said the cyberattack was limited to the Police Department.
Officers relied on Stanislaus Regional 911 dispatchers for information they normally accessed on their laptops. The Police Department provided extra staffing at the dispatch center while its network was hobbled."
Modesto acknowledged in a March 2 statement that the Police Department had been hit by ransomware and that personal information may have been accessed. The statement said the city was sending letters to people who may have been affected.
"We reviewed the files that were accessed for personal information," the letter states. "On February 17, 2023, we determined that one or more documents involved in this incident may include some personally identifiable information such as your name, address, Social Security number, medical information included in work status reports, driver's license number, and/or state-issued identification number."
Citing its ongoing investigation and security concerns, Modesto has been reluctant to release information.
City names experts helping it
It acknowledged Feb. 8 upon an inquiry from The Bee that it had "recently detected suspicious activity on our digital network." Relying upon multiple sources with direct knowledge of the incident, and who spoke only on the condition of anonymity, The Bee published a story the next day that the Police Department was the victim of ransomware. Three weeks then passed before the city acknowledged that it was a ransomware attack
Modesto has said it was working with leading cybersecurity experts and law enforcement on the breach. But until Friday, it did not release the names of the experts.
The city said the cybersecurity firms are Virginia-based MoxFive and one its subcontractors, Illinois-based Entara. The city said in an email that MoxFive's services include confirming backups are valid and usable and hardware reimaging and rebuilding to eliminate possible infection on servers, workstations and laptops.
Modesto has not released the cost of using these firms or the law enforcement agencies assisting the city. The Bee has filed multiple California Public Records Act requests to obtain basic information about the security breach.
The city has said because of the need to protect its investigation it is limited in what it can say. "We're being as transparent as we can." Lopez said Monday. "We're just getting to a point where what can be shared will be shared. There is no active threat going on right now."
© 2023 The Modesto Bee (Modesto, Calif.). Distributed by Tribune Content Agency, LLC.