The New York City Legal Department holds some of the city’s best-kept secrets: evidence of police misconduct, the identities of young children accused of serious crimes, medical records and personal data for thousands of people. city employees.
But all it took for a hacker to infiltrate the agency’s network of 1,000 attorneys earlier this month was a worker’s stolen email password, according to an official. the city informed of the subject.
Officials did not say how the intruder obtained the worker’s credentials, nor did they determine the extent of the attack. But the hack was made possible by the legal department’s failure to implement basic protection, known as multi-factor authentication, more than two years after the city began requiring it, according to four people. knowing the legal agency system and the incident.
The intrusion interrupted the town’s lawyers, disrupted legal proceedings, and plunged some of the department’s legal affairs into disarray. And on Tuesday morning, in a conference call, Mayor Bill de Blasio urged the city’s agency heads to step up their cyber defenses or face the consequences if their agencies were hacked, according to three people who were on the scene. ‘call.
The mayor’s warning to agency heads comes 10 days after the city’s Cyber Command, created by Mr. de Blasio in 2017 to defend the city’s computer networks, detected unusual activity on the computer system of the legal department.
The next afternoon, June 6, city officials said, they removed the department’s computers from the city’s larger network. Many remain disconnected.
Mr de Blasio, in public appearances last week, said the hack was being investigated by the New York Police Department’s intelligence bureau and the FBI’s IT task force. He said officials were unaware of a ransom demand or compromised information.
Officials also said there was no evidence the attack damaged the city’s computer systems, although the investigation is still in its early stages. Investigators are still trying to determine the identity of the perpetrator and the motive.
“We have identified the malware – we have seen it before,” John Miller, deputy commissioner of the police department responsible for intelligence and counterterrorism, said at a press conference.
“Is this someone looking to retrieve information, export it, and then launch a ransomware attack?” Mr. Miller said. “Is this another type of actor who seeks to collect information for other strategic purposes? Both were possibilities, Miller added.
A town hall spokeswoman and a spokesperson for the legal department both declined to comment on Thursday.
Multi-factor authentication, a measure familiar to many who work on computers at home and in the office, requires users who log into sensitive accounts to take at least one extra step to verify their identity, such as entering a passcode. temporary digital sent to a user’s mobile phone.
The tool has been widely adopted in recent years, cybersecurity experts say, as hackers increasingly target government, businesses, hospitals and infrastructure using stolen passwords and other information. identification. This allows them to enter computer systems to disrupt operations or steal data, which can be used to demand ransom.
The vast majority of ransomware attacks gripping U.S. cities, towns and hospitals were made possible because targets did not enable multi-factor authentication, cybersecurity experts and officials said. Hackers exploited the lack of multi-factor authentication to force the shutdown of the colonial pipeline in May and to attempt to poison a small town Florida’s water supply in February 2020, officials said.
Diligent hackers have found ways to bypass multifactor authentication on software used by the Pentagon and many Fortune 500 companies. But cybersecurity experts say its use remains one of the easiest ways to dramatically reduce chances of success of an attack.
In an urgent note earlier this month, the White House urged U.S. organizations to use multi-factor authentication, in addition to other safeguards such as data backup.
A directive issued by Cyber Command New York in April 2019 required all agencies in the city to use multi-factor authentication to access restricted or sensitive information, according to a copy of the document obtained by The New York Times.
Geoff Brown, Cyber Command chief and head of information security for New York City, admitted at a press conference last week that the city had issued such a directive, but he declined to respond to whether the legal department had used the tool.
“For now, answering questions about protecting the city’s systems could give the attacker insight” into the city’s internet technology or the ongoing investigation, Mr. Brown said.
The Legal Department’s servers were running on Microsoft software released in 2003, for which the company stopped providing critical security updates in 2015.
Failure to update software makes municipal systems an ideal target for hackers who simply search the Internet for unpatched software and exploit it. The Florida water treatment plant last February was also using a ten-year-old version of Microsoft Windows that hadn’t been updated in years.
In his phone call Tuesday with the city’s agency heads, de Blasio cited multi-factor authentication and up-to-date software as priorities to be addressed immediately, according to officials who participated in the call.
Katharine Rosenfeld, a lawyer who in one case represented a pregnant woman who sued the city after being handcuffed while at work, said security breaches revealed the legal department was “frightening” in its handling of confidential information.
“Think about all the medical records we give them from our clients, mental health treatments, settlement negotiations,” Ms. Rosenfeld said. “It just makes me very worried.”
The shutdown of the Legal Department’s computer system after the attack had an impact that spread through New York City courts, slowing cases down and forcing city lawyers to seek time extensions.
“Although the undersigned recently regained remote access to email,” city attorney James Jimenez wrote to a Brooklyn federal judge on Tuesday in a false arrest trial, “I do not still cannot remotely access files or documents “.
In Manhattan federal court, the attack fueled a dispute in a series of high-profile lawsuits accusing the police department of using excessive force and making unwarranted mass arrests during protests in New York l ‘last year after George Floyd was murdered by a Minneapolis cop. officer.
Lawyers for the plaintiffs complained that the legal department, citing the hack, declined to say when it would hand over critical documents which lawyers say must investigate what they called the city’s “brutal response” large-scale events.
The legal department accused the plaintiffs’ attorneys of using hacking to “engage in a game” and suddenly deciding that “the time has come to flood the defendants with a roadblock” with new requests for documents, a city attorney, Dara L. Weiss, wrote to the court last week.
Ms. Weiss said that despite “technological challenges”, hacking has not stopped progress in the case.
“Defense lawyers have not been silent,” added Ms. Weiss.
Nicole perlroth contributed reports. Susan C. Beachy contributed research.