According to the FBI's Internet Crime Complaint Center, which collects and analyzes data on internet crimes reported by the public, 880,418 complaints about cybercrime were reported in 2023, with potential losses exceeding $12.5 billion. That's an 11 percent rise in complaints and a nearly 198 percent increase in potential losses over 2020 reports.
This has carried over into Iowa as well. In 2023, the state reported 3,723 internet crime complaints to the FBI — a 26% increase over 2022.
"We've definitely seen an uptick in the number of organizations that are coming to us to deal with cyberattacks over the last couple of years," said Bobby Kuzma, director of offensive cyber operations at ProCircular, a computer security service in Coralville. "If a business hasn't had a breach in their data, they've almost certainly know someone who has."
Several Iowa car dealerships spent weeks processing paperwork the old-fashioned way — with pen and paper — after a national software vendor suffered a ransomware attack in late June. Also in June, the city of Cedar Falls fell victim to a ransomware attack and briefly shut down computer systems.
Cyberattacks refer to hostile actions conducted digitally to compromise an individual or organization's computer system, network or devices. These attacks often target sensitive information such as personal data, financial records or intellectual property. Attacks can take different forms including phishing attacks to trick someone into giving personal data or surreptitiously installing malicious software to steal personal information or damage computers.
"Cyberattacks will continue to rise because people are successful at them, and it's making people money," said Doug Jacobson, director of the Center for Cybersecurity Innovation and Outreach at Iowa State University. "Cyberattacks are becoming a staple of organized crime."
In 2001, the FBI center reported 49,711 cybercrime complaints in its first annual report. But by 2015, it was receiving an average of nearly 300,000 complaints annually, and almost a decade later, complaints were at 758,000 annually.
(Cyberattacks) weren't really prevalent in the early days because there was little way to monetize it," Jacobson said. "The advent of digital currency and different ways to do pseudo-anonymous transactions electronically enabled the adversaries to have a way to get paid."
A ransomware attack — in which hackers gain access to an organization's system after employees unwittingly visit compromised websites or click on infected email attachments — has been among the most prominent types of cybercrimes recently.
The FBI center received 2,825 complaints in 2023 identified as ransomware, with adjusted losses of more than $59.6 million — an 18 and 74 percent increase from 2022, respectively.
"These hackers might extract copies of records for extortion purposes, or they may simply encrypt all the files and completely put the business at a standstill until the ransom is paid," Kuzma said.
In May, Ascension, a Catholic health system with 140 hospitals in 19 states — but not in Iowa — was hit with a ransomware attack that locked providers out of systems obtaining patient electronic health records, causing medication errors, and forced many hospital staff to work offline because their systems were compromised.
In February, a ransomware attack on Change Healthcare, part of UnitedHealth Group, crippled providers and hospitals before the company paid $22 million in ransom. The firm offers pharmacy services to some Iowa Medicaid members, but the state said Iowa Medicaid information systems were not accessed.
"The industries that cannot afford downtime, specifically health care, tend to attract more attention," Kuzma said. "It can be very disruptive to these organizations, particularly if they don't have a good recovery plan."
In late June, CDK Global, a provider of software used by over 15,000 dealerships across North America, was hit with a ransomware attack that disrupted operations at over 60 new car dealerships in Iowa.
Bruce Anderson, president of the Iowa Automobile Dealers Association, said services at these dealerships are back and running after two weeks of staff operating almost entirely through pen and paper. He said this process caused delays but that "the core functions at these locations are back up and running."
According to Anderson, "there has been no indication a breach of unencrypted customer data, or any customer data," at these Iowa dealerships, but said, the "CDK investigation continues."
Also last month, Cedar Falls experienced a ransomware attack, according to a July 3 news release from the city.
"The city engaged legal counsel and cybersecurity professionals to conduct a privileged forensic investigation," according to a city statement. "The event has not materially affected the City of Cedar Falls' ability to provide public services. Following a short period of controlled downtime, all affected services have been restored."
City officials reported the incident to the FBI, "who will conduct a law enforcement investigation of the individuals responsible for the incident," the release states. The city has not said whether it paid a ransom.
Disruptions in learning
When Rob Denson started as president of Des Moines Area Community College 21 years ago, he was not too familiar with cyberattacks.
"We'd seen it reported in the media about other educational institutions going through it, but I had talked with my IT team and always believed (DMACC) would be safe," Denson said.
This was until the early hours of June 1, 2021, when DMACC's information technology team began receiving alarms that software had been breached. Within the next 24 hours, Denson said school officials shut down all internet connections for students and faculty.
Once the school was offline, Denson said university officials worked with the college's cyber insurance providers, who contracted experts to fix the breach and assess what information was taken. Ransom negotiators were brought in as well.
"For 28 days, including weekends, we had a daily video call with all those groups to get updates on the situation," Denson said. "We had a team of about 10 IT professionals playing whack- a-mole basically, meaning they were in the room looking for abnormalities in our system and addressing them immediately."
During this time, summer classes were canceled for nearly a week. Denson said the college discovered documents containing the personal information of 21 people, including names and Social Security numbers, were obtained in the computer hack.
"They got into some old files, which really had nothing, and the ransom negotiators spend most of their time telling the threat actors, 'Well, what do you got? I mean, why should this be worth anything?" he said.
DMACC provided the 21 individuals with cyber insurance protection, which "generally follows a breach like this," according to Denson. Cyber insurance protection for individuals typically covers any financial loss from a cyber incident, with some providers offering credit monitoring and services to try to gather stolen information.
After removing the hackers from the system and realizing they could not access the school's backup servers, Denson said the school decided not to pay a ransom and the hackers eventually gave up. DMACC has never disclosed how much ransom was sought.
"If a business has good backups, and they test them regularly and know how to restore them, they can pretty much extend the middle finger at the hackers," said cybersecurity expert Kuzma.
Since the DMACC attack, several other Iowa educational institutions have fallen victim to ransomware attacks. Since 2022, some of Iowa's biggest school districts — Cedar Rapids, Linn-Mar, Davenport and Des Moines — also have been hit with cyberattacks.
The fallout
In the aftermath of DMACC's ransomware attack, Denson said the university has taken strides to increase its cybersecurity.
Before the attack, DMACC did not require students and faculty to use multifactor authentication, which uses multiple methods to verify identity. And while the school already required students and faculty to participate in sexual assault and active shooter trainings, Denson said DMACC now mandates that all students and staff take cybersecurity training.
"It's like a 30-minute webinar talking about what the current things that these hackers are doing are to get us to give up our information, and how do we avoid it," Denson said. "It's probably one of the more important trainings we do."
Kuzma said it's essential for organizations to undergo training so they know how to respond if they're ever faced with a cyberattack.
"Often, this is the first time that something of this scale is disrupting a business, and if you haven't practiced it, there is a lot of running around, not quite knowing what to do," Kuzma said. "It's a very intense process."
Iowa law requires any organization that encounters a security breach that affects at least 500 Iowa residents to notify the state Attorney General's Consumer Protection Division within five business days of notifying affected people.
From January to May 2023, 23 entities reported security breaches to the state attorney general, including the personal information of over 103,000 Iowans. In the same time frame in 2024, 50 entities reported security breach notifications affecting over 378,000 Iowans.
Last year, Gov. Kim Reynolds signed into law Senate File 203, which increased penalties for Iowans caught attempting to launch ransomware attacks, and House File 553, which provided liability protections to Iowa businesses that voluntarily adopt cybersecurity practices.
"We've seen health care, agriculture, and utility companies all be attacked," Kuzma said. "The size and complexity of a business does not necessarily reflect its risk profile. I mean, we've seen mom-and-pop shops that have been targeted."
© 2024 The Gazette (Cedar Rapids, Iowa). Distributed by Tribune Content Agency, LLC.