A threat analyst with the cybersecurity firm Emsisoft reported the development Wednesday on Twitter.
"Generally speaking, (cyber criminals) only release the data if they are not paid," said Brett Callow, the analyst, in a phone interview. "And I would say if the city hasn't paid them, it is absolutely the right decision."
Callow said organizations cannot count on cyber criminals to destroy the data after they have been paid. He said they may try to extort another payment or sell the data to other criminals.
"There is very little Modesto can do now but minimize the damage," he said about the ransomware group making the data available on its website.
The city has said personal information may have been accessed in the cyber attack, including names, addresses, Social Security and driver's license numbers. The city sent letters to people whose personal information may have been accessed and offered them one year of free credit monitoring.
City Manager Joe Lopez has said the personal information that may have been accessed was limited mainly to city employees and almost entirely to Police Department employees. He said a small number of people who don't work for the city may have been affected.
SENSITIVE INFO RELEASED ONLINE
Modesto has not said how many people were sent letters and whether other data was accessed.
Callow said ransomware groups in other attacks have released all kinds of sensitive information on the Internet, including the names of law enforcement informants, investigations into child abuse allegations and personnel evaluations.
Modesto has released little information about the cyber attack, saying it needs to safeguard its investigation. And regarding this latest development the city issued this statement:
"At this time, our data review is complete, and we have determined some files accessed by the threat actor responsible for this attack may have included some personally identifiable information for certain individuals.
"We have made written notification to individuals whose information was involved and provided them with resources, information, and next steps to help protect their information."
The ransomware group Snatch has claimed responsibility for the cyber attack. It posted 15 files on its website that it claims include Modesto data.
Callow, who has been been interviewed for news reports in the New York Times, Washington Post and CNN, said he has not downloaded the files to see what they contain. He said he is respecting the privacy of the people whose personal information may be in them.
Modesto has said the Police Department's IT network was compromised by a ransomware attack Feb. 3. But based on the letter the city manager sent to people whose personal information may have been accessed, the data breach may have started Jan. 31 and was detected by the city three days later.
PATROL LAPTOPS DIDN'T WORK
The cyber attack hobbled the Police Department's IT network. For instance, the laptops in patrol vehicles — called mobile data computers — did not work. That meant officers could not use them to check whether someone had a criminal history or any warrants. Officers also had to write reports and traffic tickets by hand.
Department spokeswoman Sharon Bear said Thursday that nearly all of the network has been restored, including the laptops in patrol vehicles and the department's desktop computers, and work continues to restore the rest of the network.
City officials have said the cyber attack never put the public at risk or disrupted the city's ability to provide services, including responding to 911 calls.
Callow said that this year, there have been at least 20 ransomware attacks in the United States that targeted cities, counties and other local governments. He said information has been released on the Internet in at least 13 of the attacks.
Callow said the crime is much more prevalent but government agencies and private businesses are reluctant to acknowledge the attacks.
Callow has said there are two primary ways that bad actors gain access to a network: through a type of email called phishing and through servers connected to the Internet without adequate security. A phishing email can have a link with malware software in it. The malware is activated when someone clicks on the link.
©2023 The Modesto Bee, Distributed by Tribune Content Agency, LLC.