On March 17, the Town of Houlton, Maine disclosed that they had experienced a malware attack.
According to their disclosure, on October 16, 2019, they discovered that part of their network had been locked up by a virus that prevented access to files. The department was able to quickly restore from backup, and claim that investigation subsequently revealed that the malware was active on the network between October 15 and October 16. Further investigation revealed that unknown individual or individuals had first gained access sometime between January 25 and October 15. Two investigative firms were unable to determine whether any data had actually been accessed or exfiltrated. The department therefore prudently notified everyone who had personal information that might have been accessed. Affected individuals have been offered services from Kroll that include monitoring and fraud insurance and identity restoration assistance.
The notification signed by Chief Timothy B. DeLuca continues:
Rest assured that we are committed to keeping the data we maintain as secure as possible. We are taking steps to minimize the potential for unauthorized access to our environment and making reasonable efforts to ensure the continued security of your information.
That might be a bit more convincing if this was their first malware incident. But it’s not.
In April, 2015, this site had quoted a report from News Center Maine that said, in part:
The Houlton Police Department was also hit by the same or similar virus early this week, and it locked up all their files. Chief Terry McKenna said they, too, were forced to pay the ransom to get their computer data restored
At the time, I had commented:
So now that they’ve publicly admitted that they’ve paid ransom to unlock their files, are they more likely to get hit again? Can they really be sure their employees won’t fall for the next malware attempt?
While it is commendable that the department was able to restore quickly from backup, how much has the department now spent recovering from these two malware incidents and providing services to those affected? Could that money have been better used preventing successful attacks? The department does not say how the attackers gained a foothold this time. Was it another phishing attack? And if it was, what additional steps should the department take at this point? What’s Plan B if just training employees is not sufficient?