New York City’s Law Department holds some of the city’s most closely guarded secrets: evidence of police misconduct, the identities of young children charged with serious crimes, medical records, and personal data of thousands of city employees.
But all it took for a hacker to break into the network of a 1,000-lawyer agency earlier this month was an employee’s stolen email password, according to a city official briefed on the matter. .
Officials did not say how the intruder obtained the worker’s credentials, nor did they determine the scope of the attack. But the hack was triggered by the Code’s failure to implement a basic safeguard, known as multi-factor authentication, more than two years after the city began requiring it, according to four people with knowledge. knowledge of the legal system and the case.
The break-in disrupted city attorneys, disrupted court proceedings, and plunged some of the department’s legal work into turmoil. And on Tuesday morning, on a conference call, Mayor Bill de Blasio reminded heads of city agencies to strengthen their cyber defenses or face the consequences in the event of their agency’s they were hacked, according to three call participants.
The mayor’s warning to agency heads comes 10 days after the city’s Cyber Command, created by Mr. de Blasio in 2017 to protect the city’s computer networks, discovered unusual activity on the Code’s computer system.
The next afternoon, June 6, city officials said they had removed the department’s computers from the city’s larger network. Many people are still disconnected.
Mr. de Blasio, during a public appearance last week, said the hack was being investigated by the New York Police Department’s intelligence department and the FBI’s cyber task force. He said officials were unaware of a ransom demand being made or any information being compromised.
Officials also said there was no evidence the attack damaged the city’s computer systems, though the investigation was still in its early stages. Investigators are still trying to determine the killer’s identity and motive.
“We’ve identified the malware – we’ve seen it before,” John Miller, the Police Department’s deputy commissioner for intelligence and counterterrorism, said at a news conference.
“Is someone looking for credentials, exporting it, and then performing a ransomware attack?” Mr. Miller said. “Is it another type of actor looking to gather information for other strategic purposes?” Both are possibilities, Mr. Miller added.
A spokesperson for City Hall and a spokesperson for the Code both declined to comment on Thursday.
Multi-factor authentication, a practice familiar to many people who work on computers at home and in the office, requires users logging into sensitive accounts to take at least one extra step to verify their identity. their computer, such as entering a temporary code sent to the user’s mobile phone.
Cybersecurity experts say the tool has seen widespread adoption in recent years as hackers increasingly target governments, businesses, hospitals and infrastructure using hacked passwords. theft and other logins. This allows them to infiltrate computer systems to disrupt operations or steal data, which can be used for ransom.
The vast majority of ransomware attacks on US towns, cities and hospitals can happen because targets don’t have multi-factor authentication enabled, according to cybersecurity experts and officials. Officials say hackers exploited a lack of multi-factor authentication to force the closure of the Colonial Pipeline in May and aimed to poison the water supply in a small Florida town in February 2020. officials said.
Diligent hackers have found a way to bypass multi-factor authentication on software used by the Pentagon and many Fortune 500 companies. But cybersecurity experts say its use remains is one of the simplest ways to greatly reduce the rate of successful attacks.
In an urgent memo earlier this month, the White House urged American organizations to use multi-factor authentication, in addition to other protections such as data backups.
A directive issued by New York’s Cyber Command in April 2019 requires all city agencies to use multi-factor authentication to access sensitive or restricted information, according to a copy of documents obtained by The New York Times.
Geoff Brown, the head of New York’s Cyber Command and chief information security officer, acknowledged at a news conference last week that the city had issued such a directive, but he declined to answer questions about it. whether the Code uses this tool.
“At this point, answering questions about protecting city systems could provide an attacker with insight into the city’s internet technology or an ongoing investigation,” Brown said. out.
Code servers run on Microsoft software released in 2003, software for which the company stopped providing critical security updates in 2015.
Failure to update the software makes the city’s systems ripe targets for hackers, who simply scan the internet for unpatched software and exploit it. The Florida water treatment plant last February also used a decades-old version of Microsoft Windows that hadn’t been updated in years.
In a phone call Tuesday with city agency heads, de Blasio said multi-factor authentication and up-to-date software are priorities that need to be addressed immediately, according to officials involved. call.
Katharine Rosenfeld, an attorney in a case representing a pregnant woman who sued the city after being handcuffed while she was in labor, said the security lapses showed that the Code was “neglected to an extent” scary way” in handling classified information.
“Think of all the medical records we give our clients, mental health treatment, settlement negotiations,” Ms. Rosenfeld said. “It just makes me so nervous.”
Disabling the Code’s computer systems after the attack hit New York courts, slowing cases and forcing city attorneys to ask for an extension of the deadline.
“Although the undersigned have recently regained remote access to email,” a city attorney, James Jimenez, wrote to a Brooklyn federal judge Tuesday in a lawsuit filed kept saying, “I still cannot remotely access any records or documents.”
In federal court in Manhattan, the attack sparked controversy in a series of high-profile lawsuits accusing the Police Department of using excessive force and making unprovoked mass arrests during police raids. protested in New York last year following the murder of George Floyd by a Minneapolis police officer. officer.
Plaintiffs’ attorneys complained that the Department of Justice, citing the hack, declined to say when to turn over key documents, which the lawyers said they needed to investigate into what they called “reactions.” brutal response” of the city to large-scale protests.
The code accused plaintiffs’ attorneys of using hacking to “get into the game” and suddenly decided that “now is the right time to flood the defendants” with new document requests. , a city attorney, Dara L. Weiss, wrote to the court last week.
Ms Weiss said that despite the “technological challenges”, the hack did not stop the progress of the case.
Ms. Weiss added: “Defense attorneys did not sit on their hands.
Nicole Perlroth contribution report. Susan C. Beachy Contributing research.