Georgia authority says ransomware attack thwarted, real estate portal online
A state authority that manages a key database of Georgia real estate records said it thwarted a ransomware attack and has returned its website and systems back to normal operations.
The Georgia Superior Court Clerks’ Cooperative Authority, which operates a database for the state’s real estate index, said it detected the intrusion Nov. 21 and “immediately activated” defensive controls. The authority said it was also contacted by the FBI, which “underscored the seriousness of the threat.”
The GSCCCA restricted public access to all of its websites, applications and resources to “prevent the threat actor from advancing further.”
“We recognize that the temporary service outage was disruptive to the clerks, courts, partners, and citizens who rely on GSCCCA services every day. We sincerely apologize for this impact,” the authority said.
The authority manages an index for real estate and personal property records, including deed transactions and property liens. It is typically the first place real estate sales are made public in Georgia.
The GSCCCA said in a Nov. 28 news release it “cannot confirm that any data was stolen from our systems,” adding that “no evidence currently indicates that sensitive or non-public data was accessed or removed.”
The authority said it does not collect or store Social Security numbers, bank account numbers or credit card numbers, and that it does not retain or store sensitive financial data in its systems.
It did say it was able to interrupt the ransomware attack in progress before any data was destroyed, altered or encrypted, and that “the threat has been fully neutralized.”
A ransomware group called Devman had claimed responsibility for the cyberattack, according to multiple websites that track digital extortion threats. Devman claimed to have stolen 500 gigabytes of data in the Nov. 21 attack, according to the websites.
The GSCCCA confirmed that it received a ransom demand but “did not engage with the threat actor, and no ransom was paid.”
“The attacker provided a screenshot purporting to show access to GSCCCA data,” the authority said. “Our investigation confirms that the screenshot likely depicts a development server containing test versions of GSCCCA databases,” which have a subset of information and “numerous fields” that are “sanitized to support integration-partner testing.”
While its systems were shut off to the public, the authority said it inspected and scanned more than 100 servers and workstations, while its information technology teams worked to “harden affected systems” and close defensive gaps.
About the Authors
As business team lead, Kelly Yamanouchi edits and writes business stories. She graduated from Harvard and has a master's degree from Northwestern.
Zachary Hansen, a Georgia native, covers economic development and commercial real estate for the AJC. He's been with the newspaper since 2018 and enjoys diving into complex stories that affect people's lives.
