Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

St. Clair County Data Breach Impacted More Than 600 People

The Illinois county’s eight-month review of a ransomware attack on its computer systems last spring has found that hackers may have been able to view or acquire personal or medical information on more than 600 residents and non-residents.

(TNS) — St. Clair County, Ill., has completed an eight-month review of a ransomware attack on its computer system last spring, prompting the release of more details about what happened.

More than 600 people will receive letters in the mail this week, informing them that the breach may have allowed hackers to view or acquire their personal or medical information.

"Individuals are encouraged to remain vigilant against events of identity theft by reviewing account statements (and explanations) of benefits and monitoring free credit reports for suspicious activity and to detect errors," according to a county statement.

"Any suspicious activity should be reported to the appropriate insurance company, health care provider or financial institution."

The letters were reportedly mailed Monday by Kroll, a private New York-based firm specializing in data protection that is working with the county and its cyber insurance company.

An analysis by Kroll's experts found no evidence that any of the information accessed by the hackers had been misused or caused problems, according to Jeff Sandusky, the county's information technology director.

"The predominance of the data was fairly old — 15 years plus — so it's not relatively recent data," he said Tuesday.

The 600 people include both St. Clair County residents and non-residents who have received services or done business with various departments or offices. Sandusky called the focus "random."

Illegally accessed information could include names, addresses and dates of birth; Social Security numbers; driver's license or state identification numbers; medical diagnoses and treatments; health care and insurance providers.

A "malware infection" prompted Sandusky to shut down the county's computer system and website for several days, beginning May 30, 2021.

"The amount of time we were down was self-imposed," he said last month. "We had to verify our data integrity, as well as implement some security measures to protect the system."

The county released few details on the breach last spring. On Tuesday, Sandusky confirmed for the first time that a ransomware group had asked St. Clair County for money and officials refused to pay it.

Sandusky still isn't revealing the name of the group or amount of money requested due to an ongoing federal investigation.

"My goal is to make sure we share as much information with the public as we can — because they have a right to know — and to make sure that people understand we are doing everything we can in a very challenging world to protect their data while providing the services that they need," he said.

St. Clair County is one of a growing number of counties, school districts and other public bodies across the United States that are being hacked. Some pay ransoms, and some don't. Severity of damage varies.

Here is a timeline for last spring's ransomware attack, according to St. Clair County officials:

—The IT staff detected "anomalies" with the computer system on May 27, 2021, and took protective action.

—A cyber attack occurred on May 30, and Sandusky shut down the system.

—The county contacted its cyber insurance company and launched an investigation with the help of Tracepoint, a national company that specializes in cyber incident response and recovery.

—The investigation revealed that an "unauthorized actor" had accessed the computer system, possibly viewing or acquiring information on May 27 and removing files on May 30.

—The person or group asked for ransom money, and county officials refused to pay it.

—By this time, the Federal Bureau of Investigation was involved in the case.

—The website and computer system were gradually restored with most departments up and running within 72 hours.

—Kroll was brought in to do a "thorough and time-consuming" analysis to determine whether the hackers viewed or acquired sensitive data and who was affected.

At the time of the breach, a ransomware group calling itself "Grief" claimed it had targeted St. Clair County and other organizations, demanding payment in cryptocurrencies such as Bitcoin and Monero, according to several publications specializing in cybersecurity.

In screenshots of the group's website, obtained by the Belleville News-Democrat, the group claimed it had obtained 2.5 gigabytes of data, including internal company documents and personal and customer information.

Today, the county's IT staff is continuing to review existing internal policies and procedures related to data protection and cybersecurity and making appropriate changes, according to Sandusky.

In retrospect, he sees both positive and negative impacts of the ransomware attack.

"A negative is that we still had a (cyber insurance) deductible that we had to reach, so it did cost the county money. ... It cost us time and productivity. It caused challenges in serving the public for a few days," Sandusky said.

"On the positive side, it did highlight the importance of cybersecurity. It highlighted the importance of investing in infrastructure — all of the things that our country is trying to do aggressively."

Sandusky referred questions about costs incurred by St. Clair County for the cyber insurance deductible and other activity related to the ransomware attack to Frank Bergman, director of human resources, who didn't immediately return calls for comment on Tuesday.

People who want more information regarding the security breach and how they can protect themselves should call 855-632-1644 from 8 a.m. to 5:30 p.m. Monday through Friday.


(c)2022 the Belleville News-Democrat (Belleville, Ill.) Distributed by Tribune Content Agency, LLC.
Special Projects