IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Wichita, Kan., Cyber Incident Limited to Police Records

A ransomware attack that crippled the city of Wichita's network for more than a month starting in May was limited to a Wichita Police Department records system, city officials said Wednesday.

An illuminated red and blue light bar on top of a law enforcement vehicle at night.
Shutterstock
(TNS) — A ransomware attack that crippled the city of Wichita's network for more than a month starting in May was limited to a Wichita Police Department records system, city officials said Wednesday.

That means the Russian hacker group — LockBit — that claimed credit for the attack did not access bank card numbers, social security numbers or other private information about city customers or residents — unless the Police Department kept those records as part of an investigation.

The breached records include potentially sensitive information about witnesses, victims and suspects in 77,000 police cases. They included incident reports, arrest reports, supplemental reports, property reports, accident reports and traffic citations, City Manager Robert Layton said.

Layton, who has previously avoided disclosing key details about the cyber attack, said on Wednesday that the city's internal investigation is now considered closed, so he can provide more information to the public.

"We haven't really been able to get out the information on the data itself, and I think that was one of the most important things we wanted to talk about, to kind of ease people's concerns about their water bill information, for instance, and payment information, that type of thing," Layton said.

Layton said the city did not pay a ransom and had no contact with the Russian hackers who claimed credit for the attack and threatened to post the city's records on the dark web.

Many of the breached police records are subject to the Kansas Open Records Act, with the exception of some records in active investigations and sensitive information involving confidential informants, minors and victims of sex crimes.

The cyber criminals were also able to access some social security numbers, driver's license numbers and a small number of credit card or bank account records related to criminal investigations that would typically be redacted by the city's lawyers in police case files.

Layton said the hackers downloaded an unknown amount of data from the police records system, but the investigation did not reveal how many or which records were stolen.

"We know that there was a data transfer, but we do not know to the degree what they got," Layton said. "We can't tell you that everything that was in their record system was accessed, but, at the same time, I can't tell you that it wasn't."

Mike Mayta, the city's chief information officer, said everyone should assume the worst and take steps to protect their information

"The best practice is to just assume that your information is out there already, somewhere," he said. "Through forensics, there was no way that we could tell what data was exfiltrated."

Consequences of the attack

Layton estimates the attack cost the city about $250,000, most of which is expected to be covered by the city's insurance policy.

A criminal investigation by the FBI is apparently ongoing. The FBI does not confirm or deny active investigations.

"The City of Wichita hasn't had direct contact with the FBI," Assistant City Manager Donte Martin said. "Upon contacting our insurance provider, we were connected with an expert in handling cyber incidents. That person guided us through this process — Mullen Coughlin is the name of the security experts, a law firm that handled the work.

"Mullen Coughlin had communication with the FBI and provided all requested information. Our primary contacts were the attorneys of Mullen Coughlin."

The attack coincided with federal authorities unsealing an indictment against LockBit's alleged leader, Dmitry Yuryevich Khoroshev, a resident of the Russian Federation. The U.S. State Department also announced a $10 million reward for information that leads to his arrest. The indictment called LockBit "the most prolific and destructive ransomware group in the world" that has extorted at least $500 million in ransom payments from multinational corporations, local governments and nonprofit organizations since 2020.

LockBit listed the city of Wichita's data on a darkweb page and said it would release the records if no ransom was paid by May 15. But the records were never released on that listing, a check of the listing shows.

Layton said it appeared other organizations with the same vulnerability were blanketed with attacks around the same time the vulnerability was discovered. He would not say what the piece of hardware was that was breached.

"It's an appliance we purchased from a third party," Layton said. "That's about as far as we can go. We want to be concerned about vulnerability of us going forward but also others as well. So it's — think of it as a system that we buy from an outside party that is part of our total system. So it plays a role, but I can't really get very deep into what that does. They had a vulnerability that was discovered internationally. So it was in this system. We worked with them to close off that vulnerability, but they got in during that action. While we were doing that, and that's when Mike and his staff basically unplugged us and turned off all access."

Wake-up call for city

Records such as credit card numbers and personal information provided to pay water bills and other business with the city, were not breached, Layton said.

The city's computer systems have all been restored with beefed up security protocols, he said. Eisenhower Airport is still experiencing some lingering effects, Layton said, because the city is using the cyber breach as a reason to update the airport's WiFi system.

"I don't think there was anything to indicate that this attack was uniquely focused on the city of Wichita," Martin said.

"The prevalence of cyber incidents leading to data privacy being at risk is increasingly growing, so continuing to tap into credit reporting tools, credit monitoring tools, remaining aware," Martin said. "We were fortunate in regard to being able to navigate this incident in a fairly short amount of time, but this is one of many incidents that just seems to be going on on a daily basis, so remaining vigilant and monitoring your credit is, I think, good advice."

Layton said the attack was a wake-up call for the city, which has added IT security experts to the staff to prevent future attacks.

"We're in a time when there are sophisticated cyber criminals who are working to access systems, and it's pretty prevalent out there," Layton said. "So I don't think anyone should ever represent that they are immune or that this couldn't happen to them, and so we'll never represent that we wouldn't have more incidents in the future."

Martin, the assistant city manager, said the city is already preparing for another disruption at some point in the future.

"Our staff has taken the opportunity to look at our continuity of operation plans. As you're well aware, for 30 to 45 days, many of our services were down," Martin said. "We're taking a look at what we can do to maintain operations during system outages. Primarily, our continuity of operation plans is focused on general disasters. This gave us an opportunity, firsthand opportunity to take a look at what we need to do in regard to reliance on it, and how we can become more stable or provide ongoing services for residents and customers."

© 2024 The Wichita Eagle (Wichita, Kan.). Distributed by Tribune Content Agency, LLC.