IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Published Data Shows Breadth of Lowell, Mass., Hack

The data, released by the ransomware group Play, seems to include personal and personnel data such as medical billing records and employee disciplinary cases. The data was posted on the dark web May 11.

Ransomware Cyber Security Email Phishing Internet Technology Lock Vault Protection 3d illustration
(TNS) — Documents given to The Sun appear to show that the data allegedly stolen from the April 24 hack of Lowell's municipal network includes personal and personnel data such as medical billing records and employee disciplinary cases.

The ransomware group Play, which has claimed responsibility for the cyber crime, released 5 gigabytes of data from that theft and posted it to the dark web on May 11.

Mixed in with the cache The Sun received are generic records such as publicly available information on the Lowell High School rebuild project. Some of the records date to 2017, suggesting that the exfiltrated data is broad in both time, subject and departmental scope.

The documents were redacted by The Sun's source to remove identifying factors such as name, but the information provided a startling glimpse of what private information may now be available to cyber criminals and others.

The city provided its first status update since May 5 on its website, noting that "At this time, and for a number of reasons, the claim that data has been exfiltrated is being monitored by a variety of agencies, and waiting to be further assessed. Incidentally, it is important to point out that in the event any data was in fact exfiltrated, anyone accessing it for any reason would be subject to criminal prosecution. The City continues to monitor and ensure compliance with all obligatory reporting related to this event."

In an interview on 980 WCAP on Tuesday, Gary Miliefsky, publisher of Cyberdefense Magazine, said that he found over 2,700 records on the website amIbreached.com, a cybersecurity company that tracks records on the dark web.

"Assume the worst," he told Morning Show hosts Casey Crane and Gerry Nutter. "I would assume there's some identity theft out of this. They sell the records on the dark web. (They) sell and potentially resell, the name, address, date of birth, Social Security — everything they could get out of city records."

According to the city's status update, phone services across the city are 95% restored, and the "collection of all desktop PCs, along with a full deep clean, reset, and roll out continues, as does additional reconnectivity of the network."

Other services remain offline. The City Clerk's office has posted signs telling customers that business and dog licenses are not available, and cash or check only is accepted as payment.

Michael Gallagher, founding partner of the Lowell law firm Gallagher & Cavanaugh, which provides a wide range of legal services, said by phone on Wednesday that cybersecurity is good for business.

The longtime attorney, who is not directly involved in the city's hacking investigation, said that "A good business, a good nonprofit, a good municipality should have both strong cybersecurity software and training in place and a good backup — what are called disaster recovery systems."

Protected and redundant systems allow entities to either prevent or limit the scope of an attack, and recover data "in the event of a hack or some other disaster," he said

Without those protections in place, municipalities in which hacked data is publicly released that contains sensitive personal information, could result in claims by citizens against the municipality, Gallagher said.

"If a city failed to enact or put in place adequate cybersecurity training and or software and the like, which allowed a third party to come in and access data which the citizen or employee or both felt was protected, on its face, there would seem to be a colorable claim," he said.

In 2021, then-City Councilor Dave Conway submitted a motion that was eerily prescient. He requested that then-City Manager Eileen Donoghue report on the city's plan against a possible ransomware attack that would ensure that all city departments had sufficient protocols and updated technology to prevent hackers from compromising Lowell's systems.

The motion response to Conway's request two years ago was titled "Cyber Security Protocols" by Chief Information Officer Mirán Fernandez, whose department of Management Information Systems falls under the Finance Department led by Chief Financial Officer Conor Baldwin.

Fernandez told the council then that "The City of Lowell's MIS Department has adopted a baseline designed to improve our overall cybersecurity posture," which included "implementing best practices designed to secure our technology and data."

Gallagher noted that employees and citizens doing business with a city give out confidential information with the expectation that the municipality provide adequate safeguards to ensure it doesn't get out to a third party.

"There's a lot of information in a city," Gallagher said. "Medical, drug-related, alcohol-related information, Social Security numbers, financial information, indebtedness information. There's lot of info that a bad actor could get a hold of and use against you."

Still, the litigator knows that when it comes to cybersecurity, people can feel a little "helpless."

"We're all vulnerable, he said. "Every one of us who has a computer — whether it's at work or at home — appreciates the fact that we're vulnerable, and we know what the city's going through right now."

A statement from City Manager Tom Golden late Wednesday provided a further update to the ongoing investigation:

"The City of Lowell continues to work with our federal and state partners, as this is an active and ongoing investigation.

We have recently received a copy of the data published by the PLAY group and assessed it as originating from the city. Our federal and state partners continue to monitor the dark web for any signs of the data being shared online, as well as for any additional data which may require our verification as to source.

Due to the nature of the cyber-related incident, the quantity of data exfiltrated remains to be determined.

However, the city remains fully committed to assisting any possible victims of this incident, is taking every step possible to prevent the further theft of sensitive data, and is working with third-party experts to assist us in doing so.

Out of an abundance of caution, the city is working to implement an identify and credit monitoring service for all city employees and their families."

©2023 The Sun, Distributed by Tribune Content Agency, LLC.