LaPorte County, Indiana, reported Sunday that it had been affected by a malware attack. County Commission President Dr. Vidya Kora announced that county employees and the public needing to access any county government email or website would be unable to do so because of a “malicious malware attack that occurred on Saturday morning, July 6, 2019, that has disabled our computer and email systems.”
A press statement issued July 7 explains that the IT department discovered the malware and shut down systems on Saturday afternoon. “Unfortunately, at least half our servers have been infected and it will take some time to fully restore service.”
The statement says nothing about the malware itself. It notes that the county has cyber insurance, and that Travelers Insurance “immediately referred us to the Wayne, PA, incident-response law firm of Mullen Coughlin LLC that specializes in responses to such cyber-attacks and coordinates system repairs and protection of our computers from further such virus infections.”
Mullen Coughlin LLC describes itself as “uniquely dedicated exclusively to representing organizations facing data privacy events, information security incidents, and the need to address these risks before a crisis hits.” Its partners, however, have often given talks on ransomware and the response to ransomware.
Talk about system repair and the need for ‘some time to fully restore service’ points the finger at a ransomware attack. Without confirmation from LaPorte County this is just conjecture, but it fits with recent history. Within the last few weeks, Riviera Beach City in Florida agreed to pay a ransom of $600,000. It too had cyber insurance, and the payment was covered by the insurers.
What isn’t known in such circumstances is the extent of influence exerted by insurers over how the victim should respond. In the LaPorte incident they seem to have considerable influence. It was the insurer who specified the legal firm, and the legal firm who, says Kora, “will also assist us as we prepare documentation to report this attack to the FBI and other appropriate law enforcement agencies.”
There are concerns that as criminals learn that insurers are likely to pay the demand, they will simply increase the amount demanded. Certainly, the last 16 months have shown in increase in extortion targeting municipalities, and a dramatic rise in the ransom figure (from around $50,000 for the attack on the City of Atlanta in March 2018 to $600,000 for Riviera Beach City in June 2019).
Insurers consequently have an incentive to maintain a low-profile over their involvement in paying ransoms. This — and again it is just conjecture — could explain why LaPorte has said nothing about the nature of the attack. Had it been a medical facility, it would have been required to disclose the attack, even if it were a ransomware attack, under HIPAA.
The Indiana disclosure law is simply that Indiana businesses inform their customers about security breaches that have placed their personal information in jeopardy. Ransomware does not normally involve theft of personal data, so would not need to be disclosed.
Related: Georgia County Criticized Over $400K Ransomware Payment
Related: Utah County Struck by Ransomware
Related: Aluminum Giant Norsk Hydro Hit by Ransomware
Related: Eurofins Scientific Paid Up in Response to Ransomware Attack
