INDIANAPOLIS (WISH) — Days after a ransomware attack crippled Madison County’s computer systems, county commissioners approved a $21,064 payment to a San Francisco-based cyber security firm.
It was meant to pay a ransom.
County officials confirm the county’s insurance company recommended that Kivu Consulting be hired to deal with the hacking of the county’s computer systems.
All told, that cyberattack has cost the county more $220,000, I-Team 8 has learned. On top of the ransom, county commissioners approved $198,000, according to the county’s IT director, so that her department could start work on a project to move the county’s backup servers and firewalls offsite.
But county officials fought to keep that information private.
They fought to keep information about how public tax dollars were spent out of public view.
I-Team 8 filed a series of open records request shortly after the cyberattack asking for records related to county disbursements from the hacking.
For months, the county denied that request.
In a most-recent letter dated January 11, Madison County Attorney Jeff Graham wrote: “Pleased be advised that it is the position of the Board of Commissioners that the disclosure of claims relating to the November 2016 malware attack would jeopardize the security of Madison County’s computer system and also create a reasonable likelihood of threatening public safety by exposing a vulnerability to a terrorist attack. As such the Board of Commissioners would exercise its discretion to deny your request for these claims, pursuant to I.C. 5-14-3-4(b)(10) and I.C. 5-4-3-4(b)(19).
After denying our request, I-Team 8 and the county attorney agreed to take up the matter with the state’s open access counselor. Before that occurred, I-Team 8 obtained a copy of the payment to Kivu Consulting.
Graham then wrote another email saying that the county had satisfied our open records request.
It was against that backdrop that I-Team 8 had additional questions for county commissioners about why they sought to keep the information private? After making attempts to reach them last week, we were told to attempt to reach them by email. None of them replied.
So on Tuesday, following an open public meeting of the county commissioners, I-Team 8 approached with our questions, including why is the county so reluctant to talk about how it spent the public money?
Commissioner John Richwine initially declined our request for an interview and did not respond to follow-up questions. He did say, “You got the information that you lacked, and I really don’t appreciate this tactic of coming in here and doing this,” Richwine told I-Team 8.
When I-Team 8 tried to press him further, stating that we were seeking clarity on how specifically those monies were spent, Richwine continued:
“I think we offered clarity in that measure in the sense that you know exactly what those dollars are so I don’t think there is any question on that. It’s much less significant than anyone would’ve ever imagined. There are some things that you don’t let loose of in protection of the integrity of the county because it may open you up to a bigger threat in the future. I think this certainly falls into that category,” Richwine said.
County officials confirm Kivu Consulting was hired to pay the ransom to hackers, which had to be converted into bitcoin, the only currency which is popular in the darkest corners of the internet.
What’s not clear is how much of those dollars went to Kivu Consulting and how much went to the hackers? County officials still refuse to say. A company official with Kivu Consulting’s San Francisco office declined to answer questions and hung up.
“It was a big pain,” Sheriff Scott Mellinger said of the November cyberattack. “As if computers were no more.”
Mellinger said his dispatchers had to take notes by hand. Those notes later had to be typed back into the computer system after the servers were back up online.
Mat Gangwer with Rook Security in Indianapolis says that ransomware attacks are a bit of “a double-edged sword.” And the decision on whether or not to pay the ransom is often a difficult one. On the one hand, he said if a company has backup servers that are offsite, he wouldn’t recommend paying the ransom. On the other hand, if it were a personal computer with delicate information that isn’t backed up, it might make sense to pay the ransom.
Madison County officials confirm to I-Team 8 that it did not have backup servers offsite, which made retrieving their data very difficult.