IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Ransomware Attack Impacts Criminal Cases in New York

A small number of criminal cases in Albany, N.Y., were affected by a 2019 ransomware attack against the city’s servers, causing the police department to lose digital copies of its 2018 internal affairs files.

(TNS) — The 2019 ransomware attack on the city's servers is now potentially affecting criminal cases after it was revealed that the city police department lost all digital copies of its 2018 internal affairs files.

The Albany County District Attorney's office sent letters to several local defense attorneys last month letting them know about loss of the files. District Attorney David Soares wrote that his office didn't learn the files were lost until Jan. 11, 2021, more than 18 months after the attack.

A police department spokesman denied that, saying the department had previous conversations with the district attorney's office regarding the data loss.

On Sunday, after this story appeared in print and online, the city disputed the extent of the file loss. Rachel McEneny, the city's commissioner of administrative services, said the internal affairs file loss went from November 2018 until the first two weeks of March 2019.

But beyond the information lost in the ransomware attack, the pace of police personnel files being turned over from the city police department for discovery in criminal cases is sluggish, putting cases in jeopardy, according to Soares' office.

On Jan. 21, Soares office sent Chief Eric Hawkins a letter urging him to send prosecutors the files they needed, adding that multiple cases were at risk of being dismissed, including some that prosecutors had previously told judges that they were in compliance with the state's discovery laws.

"I fear that your department has simply not invested the resources required to comply with our obligations and protect all of us from the dismissal of many important cases," Soares wrote to Hawkins.

Under the law, any evidence or information the police have is assumed to be in the prosecutors' hands as well. That means despite any delays on the part of the department, the prosecution faces potential consequences, including case dismissal, if they do not meet the state's new discovery guidelines.

In a statement to the Times Union, Hawkins said the department was in communication with Soares' office when it came to discovery issues.

"Some digital data entries were lost due to the ransomware attack," he said. "However, all physical files and documents are completely backed up and there was never a permanent loss. We remain committed to working with the district attorney's office to enhance public safety and ensure that offenders are brought to justice."

It's unclear how many criminal cases are impacted by the attack or if past cases will need to be revisited.

Albany County Public Defender Stephen Herrick said he believed they would be.

"It's going to be a huge issue and something that's going to impact disposition in cases, past and present," he said.

In his Jan. 11 letter, Soares said the police department's internal affairs unit still maintains the paper files that contain the information prosecutors need. However, prosecutors have only reviewed officers' personnel files and have not gone through the investigations into any allegations from that year themselves.

In an interview, Chief Assistant District Attorney David Rossi said that based on court rulings, if the district attorney's office isn't able to review those records, prosecutors won't be able to fulfill their obligations under the state's discovery law.

"And then eventually cases will be dismissed," he said.

The lost files came to light after a prosecutor was preparing a file to turn over to a defense attorney and realized previously known allegations that should be in an officer's file were missing.

The state's new discovery rules that went into effect Jan. 1, 2020, require prosecutors to certify they've done their due diligence in examining 21 categories of information that may need to be turned over to defense attorneys. Among those categories are police personnel files for officers who might become prosecution witnesses, such as officers who make an arrest.

Prosecutors and police departments have said that the new discovery law is an unfunded state mandate that place a huge technological and time burden on them to turn over massive amounts of information in short periods of time.

Defense attorneys argue that the new law levels the playing field, allowing defendants crucial access to information about their case sooner and that police and prosecutors had over a year to prepare for its implementation.

In most cases, judges have required prosecutors to provide defense attorneys with information from personnel files that is only directly to the case at hand.

However, in a November decision in an Albany homicide case, Albany County Supreme Court Judge William Carter ruled that the district attorney's office had to provide information on police officers who might be possible prosecution witnesses that was unrelated the current case. Carter also said Soares' office's use of asking police to essentially self-report "impeachable" information was not in line with the intent of the state's discovery laws.

Soares' office has said they disagreed with the ruling, pointing to the fact that other judges across the state were not putting the same burden on other prosecutors.

Previously prosecutors in Soares' office were asking police officers who might be potential witnesses to self-report possible impeachment information and relied on departments to review their own files and turn over any relevant information while the district attorney's office finished building its own database for police personnel files.

Judges have criticized Soares' office before for their compliance practices before Carter's recent decision. Last year, State Supreme Court Justice Peter Lynch dismissed two convictions because prosecutors failed to disclose that a star State Police witness had been censured three times. Soares office has said they became aware of disciplinary history after using the trooper as a witness.

The full impact of ransomware attack on the city has never been fully explained.

The city paid out roughly $300,000 to recover from the ransomware attack that hit Albany on March 30, 2019.

The costs covered destroyed servers, upgrading user security software, purchasing firewall insurance and other improvements to firm up the city's systems following the attack.

The hackers demanded payment in cryptocurrency to recover files they had encrypted.

The city said it did not end up having to pay the ransom because critical servers, such as human resources and treasury, were backed up. It has never said how much the hackers demanded. It's unclear who or what entity might have been behind the attack. It took the city several months to restore all its systems that could be recovered.

In a ransomware attack, a hacker cuts off the victim's access to a system or personal files and demands payment — typically via credit card or cryptocurrency — in order to make it available again.

On Friday, the FBI said the investigation into the ransomware attack was on-going.

*This story has been updated to include new information from the city on the extent of the ransomware attack on the police department's internal affairs files.

©2021 the Times Union, Distributed by Tribune Content Agency, LLC.