Fast Fast Forward

Hometown hacking: Communities in US and Canada become cyber targets

Communities in US and Canada become cyber targets

By

Scott Schleicher, Underwriting Manager

It’s easy to see why Target was a target.  Home Depot too is a depot of valuable information and credit card numbers.  Even a health insurer like Anthem could have a wealth of personal information that could garner a good payout from someone. 

But why Dallas, Texas; Licking County, Ohio; and Terrasse-Vaudreuil, Quebec?  What might cities, towns and municipal agencies have to offer cyber criminals?  Plenty. 

As corporations have beefed up their cyber security awareness and networks, cyber criminals have set their sights on easier targets – our hometowns. 

In Dallas recently, 150+ tornado sirens were hacked to cause their non-stop blaring for nearly two hours without any tornadoes in sight.  One morning in 2015, residents of Terrasse-Vaudreuil, a small town in Quebec, woke up to find their municipality’s official website displaying a terroristic message, hacked by a group claiming to be the Middle East Cyber Army. In Ohio earlier this year, Licking County's government offices were completely shut down by ransomware which obstructed access to the county’s computer network, phones – even shutting down its police force – until the county government paid a bitcoin ransom.

Even more recently, San Francisco's Municipal Transportation Agency fell victim to a similar ransomware attack inviting its light rail system, the Muni. The hackers reportedly demanded 100 Bitcoin, or roughly $70,000, to release Muni ticketing machines from their control or else face data encryption.  There was a temporary shutdown of machines and free rides for passengers before the Muni's systems were cleared of infection.

Easy Targets

Like most thieves, cyber criminals like to do their share of preying on easy targets.  And besides that, communities and public agencies have an abundance of information to snag.   Consider that municipal governments gather process and store a tremendous amount of personal data about their employees including social security numbers, bank account numbers for payroll direct deposits and retirement data, to name a few.   Then, there are residents’ tax records, criminal records, marriage licenses and, for some, credit cards on file to pay municipality-provided utility bills or property taxes.  And community services departments have their own stash of information.  Just consider that a local police car has a laptop that sends and receives data about drivers’ license status, insurance, arrest records, and other data.  Local public school systems as well as maintain data including teachers and other employees’ employment information as well as students’ addresses and social security numbers. 

Such data, known as Personally Identifiable Information (PII), make municipalities, government agencies and other public entities potentially profitable targets for cyber criminals. Small governments and local agencies generate tons of sensitive information.  According to the National Conference of State Legislatures, 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving PII.  Individual Security breach laws typically have provisions regarding who must comply with the law including businesses and government entities.  

Required notification can be costly.  According to the 2016 Cost of Data Breach Study, which is conducted by the Ponemon Institute and sponsored by IBM, the cost of breach resolution continues to rise.  The 2016 study shows the average total cost of the breach response and resolution has increased to $7.01 million from $6.53 million last year: A rise of 7% year over year.  According to the study, the average cost per compromised record at $221: A rise of 2% from last year’s figures or $4 per record.

Quick Cash

 

Hackers also see the immediate opportunity of a quick payout.  That’s why, by far, the biggest cyber exposure to municipalities is ransomware.  As described in the Licking County, Ohio and San Francisco incidents, cyber criminals release a malware into a system, often by some unsuspecting employee who clicks on an emailed link which releases the havoc.  Once the malware is releases and spreads to other parts of the system, files cannot be accessed, phones may go down, databases locked.  The hackers demand a ‘ransom’ often in cryptocurrency such as bitcoins.  It is not an astronomical amount, but enough, that they gain access to cash and the municipality yields to enable timely access to their systems.   (Read why paying ransom often does not make the problem go away.)

Some cyber security experts believe that cyber criminals also see towns, smaller cities and other local agencies as a pathway to bigger opportunity.  Many local communities are connected to state and even federal agencies.  Hacking locally is just one step forward toward a bigger hacking opportunity. 

 

"

As corporations have beefed up their cyber security awareness and networks, cyber criminals have set their sights on easier targets – our hometowns."

 

Underfunded Defense

 

Over the last several years, major corporations have seen their share of cyber incidents and now, have whole cyber security teams using the latest technology to build a strong defense against future attacks.  Municipal governments, school systems and other public agencies   simply don’t have the necessary policies, procedures and personnel in place to create a cyber-secure environment.  In addition, they typically do not have the monetary resources to have one IT dedicated employee, much less a cyber security expert. 

​Despite lack of resources, many public entities are learning that their cyber risk can still be lessened.  One of the simplest and very effective cyber security defenses is a good security awareness training program.   Many local governments and agencies rely on anti-virus and firewall protections and focus very little on the educational need to prevent cyber-attacks. 

Employees are a public or private enterprise’s first line of protection. There are a variety of services, including low-cost training or educational videos aimed at improving workforce awareness – bringing employees up-to-speed on suspicious calls or emails aimed at staff, ‘phishing’ attempts that dig for personal information, and suspicious email attachments.  Education goes a long way in preventing breaches.  (Read about how other companies, including XL Catlin, educate their employees.

​Many communities are also turning to outside cyber security experts.  Cyber security contractors provide various services including detailed security audits, business continuity planning, penetration testing – where the contractors themselves aim to get through a firewall to test its security – and simple end-user security awareness programs. 

In It Together

In addition to boosting their security efforts, many municipalities, school systems and public agencies are purchasing cyber insurance coverage.  While some larger cities and government agencies purchase standalone coverage, smaller communities are transferring some of their cyber risk as part of their pooled insurance programs or Joint Insurance Funds (“JIF”).  JIFs are public entities chartered that allow local communities to pool their risk management resources and share the cost of their  fire, liability, automobile, workers’ compensation insurance and now, also their cyber insurance. 

Today’s cyber insurance coverage, typically through its cyber-extortion component, is intended to address the costs associated with an incident such as a data breach or ransomware attack.  (Find out more about cyber coverage specifics.)

Final Thought

No community wants to welcome a cybercriminal.  They use deception and persistence to break into systems and steal data or extort valuable community funds. 

Just as many communities set up a Community Watch to prevent crimes in their neighborhoods, they have to boost their online diligence as well. Fortunately, they don’t have to do it alone.  Communities are pooling together to buy the right insurance protection and turning to a growing cyber security industry for expert advice to keep cyber criminals from crossing town lines, literally and virtually.  



About the Author

Scott Schleicher is an underwriting manager in XL Catlin’s Cyber and Technology Insurance Business.  He can be reached via email at scott.schleicher@xlcatlin.com or via phone at 1-301-529-2148.

Copyright 1996-2017  XL Group Ltd All Rights Reserved

XL uses two forms of cookies on this site:

  1. to enable the site to operate and retain any preferences you set; and
  2. for analytics to make the site more relevant and easy to use.

These cookies do not collect personal information. For more information about our cookie usage, please click here. To comply with EU privacy laws you must consent to our use of cookies.

By using this site, you agree that we can place these types of cookies on your device. If you choose to change your cookie settings you will be presented with this message the next time you visit.