Of the thousands of lawsuits New York City faces each year, this one is no exception – a man sued the city and several police officers over his arrest during a protest. 2016. However, last week the case was successful for an unusual reason: The city’s Legal Department was hacked and attorneys were struggling to access important documents.
“In fact, all attorneys from the New York City Department of Law still do not have remote access to electronic files,” Jorge M. Marquez, a city attorney, wrote to the judge on Jan. July, requesting an extension of the time limit in the false arrest. case.
Mr. Marquez noted that attorneys were able to enter the Code’s office to review records, but because of the pandemic, many attorneys, including him, were out of work. “It is currently unknown when this will be resolved,” he wrote, adding that the city expects it to happen in the coming weeks.
More than a month after hackers gained access to the Code’s computer systems – which store loads of sensitive information – it is now clear that the breach had far-reaching implications than officials thought. disclosed publicly. The department’s IT director was reassigned and replaced. And the failure, as documented in internal communications obtained by The New York Times, for months could continue to affect the agency’s 1,000 attorneys who defended the city in court.
Many city Law Department employees have returned to the office on a limited basis, but the inability to retrieve documents remotely has slowed some of their work.
Laura Feyer, a spokeswoman for Mayor Bill de Blasio, said in a statement that the Code’s attorneys are “aligning the work onsite and remotely to ensure there is minimal impact on communities.” case.”
Nick Paolucci, a spokesman for the Code, said that the majority of the department’s attorneys were able to meet the court’s deadline and the city’s legal work is underway.
But court records show the hack continues to be complex. In a letter to the judges, the city’s attorneys sought a delay in the cases, saying that without access to the electronic files, they could not prepare a dismissal, respond to the complaint. complaint or submit a summary.
In a lawsuit against the Department of Education on behalf of a teenager with autism, the plaintiff’s attorney wrote to the judge that settlement negotiations had been stalled for some time because the city’s attorney no access to emails and case files. It’s unclear how many cases were delayed because of the hack.
Some of the Code’s attorneys even went to the office and transferred files, some containing sensitive documents, to personal flash drives so they could work on a home computer, according to an employee.
The Times reported that the Code’s hack occurred after an intruder used an employee’s stolen email password to gain unauthorized access to the agency’s computer. The Times found that the intrusion was triggered by the department’s failure to comply with the city’s April 2019 directive that all agencies deploy a common security tool called authentication. multi-factor reality.
The tool requires users logging into sensitive accounts to take at least one more step to verify their identity, such as entering a temporary code sent to the user’s mobile phone. .
“Although the attack was quickly contained thanks to the actions of Cyber Command, the lack of compliance Given the city’s IT standards, the attack was unacceptable,” said Ms. Feyer, a spokeswoman for City Hall, in a statement.
Feyer said the Code has been working “around the clock” under the guidance of Cyber Command and the city’s information technology division “to enhance the system and restore more functionality” to deal with violations.
Mr. de Blasio said that the breach is being investigated by the FBI’s cyber task force and the New York Police Department’s intelligence service, and that the city is not aware of any ransom requests being made or information being leaked. violate.
The mayor also warned city department leaders during a conference call in mid-June to reinforce their cyber precautions or face the consequences if their agencies were hacked. Times reported.
According to an email from Georgia M. Pestana, the Department of Education’s acting head, the Code has reassigned its chief IT officer, Edwin Francisque, and replaced him with a veteran Department of Education IT supervisor. her staff last week.
Mr. Francisque declined to comment through a spokesman for the Code.
The Cyber Command hack was first discovered by Cyber Command on June 5, and the next day the agency’s computers were removed from the city’s larger network, causing many The ministry’s legal work was disturbed.
In a court hearing on June 30, Stephen Kitzinger, the attorney representing the city in the Eric Garner family lawsuit, told the judge that his office email was not restored until June 14. – more than a week after the hack was discovered. – and that he still doesn’t have access to his profile.
Ms. Pestana, in an email on June 14 telling her staff that access to the email had been restored, laid out rules for “securely transferring documents” from the office to the “environment.” your family”.
A city official said that after the hack, Law Department employees are now provided with multi-factor authentication.
Cybersecurity experts and other officials say that the vast majority of ransomware attacks targeting US towns, cities and hospitals can occur because the target doesn’t use multi-factor authentication. Experts have said that hackers exploited this lack of tools when they forced the closure of the Colonial Pipeline in May and attempted to poison the water supply in a small Florida town early last year.
Officials did not say why the Law Department did not implement the protections following the Cyber Command directive more than two years ago.
In the spring of this year, the company appeared to be finally preparing to do so, the emails showed. On May 25, Mr. Francisque, then IT director, wrote to employees that the plan to implement multi-factor authentication would bring the agency into compliance with the directive.
“We’ve all heard of high-level security breaches, which are becoming more and more frequent, especially those that exploit systems through end-user credentials,” he wrote. .
Less than two weeks later, the hack occurred.
Ashley Southall contribution report.