Interim City Manager Thomas Haglund announced at Tuesday night’s City Council meeting that the city’s recent ransomware attack has cost the city over $758,000 in new hardware, software, vendor services and personnel time, including lost staff time and interruption in business services. Haglund included in his update a rundown of the city’s and outside agencies’ response.
The day of the attack, Dec. 16, city officials filed a claim with the Northern California Cities Self Insurance Fund, and the FBI, and California Office of Emergency Services (CalOES) was also contacted.
CalOES responded to the city to assist in damage assessment and recovery efforts.
Four days later, the Department of Homeland Security (DHS) dispatched a Cybersecurity and Infrastructure Security Agency (CISA) team from Washington, D.C.
After assessing the city’s efforts to recover and rebuild the system, the CISA team offered recommended actions to be taken in the rebuilding phase.
“The effort was exhaustive and continued, notwithstanding the holidays and weekends,” Haglund said. “The result of the forensics effort revealed that many city servers were affected by the attack and required replacement in order to restore data from backups. This necessitated the purchase of a number of new servers and attendant equipment so that data recovery could be achieved.”
Haglund said that the city was able to access city backup systems once new hardware was up and ready, and deemed safe.
The city systems are slowly rolling back online; most email systems are back up and the phone lines have returned.
But that has come with a hefty price tag. The city spent approximately $758,654 to get back up and running.
The city plans to file a claim with its cyber insurance company for reimbursement of covered costs incurred by the city to gain access to its data, estimated at $233,879, and recover costs affiliated with business interruption to the tune of $524,775.
The city will need to pay $50,000, the equivalent of a deductible.
The largest expenditure in recovery is for the forensics experts, weighing in at a hefty $150,000. The next expensive price tag was the purchase of a new storage array at $124,310.
“Moving forward, it will take time for the city to recover to the level it operated prior to the attack,” Haglund said. “Desktops are being deployed back into service, and email Internet access and data systems are being reactivated.”
Haglund said that the damage to the city’s hardware and software systems was significant so the replacement systems have been programmed to specifications recommended by DHS, CalOES and industry best practices for protecting systems; however, no system is completely safe.
“The future is not without risk to the city, or any organization or individual that relies on computers connected to the Internet,” Haglund said in his staff report.
He went on to say that the “common denominator” in all ransomware or cyber attacks is human.
“Nearly all ransomware attacks involve a human being opening a suspicious email or clicking on a suspicious dialog box,” he said.
Both CalOES and DHS have offered training regimens for employees of the city, and Haglund said the city has accepted their offer.