CONFIDENTIAL REPORT: Atlanta’s cyber attack could cost taxpayers $17 million

The cyber attack that struck the City of Atlanta in March could cost taxpayers as much as $17 million, according to a report obtained by The Atlanta Journal-Constitution and Channel 2 Action News.

The seven-page document — marked “confidential and privileged” — identifies roughly $6 million in existing contracts along with an additional $11 million in potential costs associated with the March 22 attack.

“It is breathtaking in that they’re having to do a complete overhaul,” Don Hunt, a professor at Georgia State University’s Andrew Young School of Policy Studies, told Channel 2. “They’ve been very busy the past few months.”

The report does not disclose who authored it, nor does it make clear how much of the expenses the city would have incurred regardless of the attack.

But with a potential figure of $17 million, Atlanta’s ransomware attack is one of the more expensive suffered by any local government in the U.S. in 2018.

Credit: Rodney Ho

icon to expand image

Credit: Rodney Ho

By comparison, a ransomware attack against Colorado’s Department of Transportation earlier this year is expected to cost $2 million.

"We are pleased with the progress of the recovery efforts. In addition to responding to the criminal attack against the City of Atlanta, we are using this opportunity to make the City more secure," said a spokesperson in an email. "Unfortunately, in today's world, governments are seeing an increase in cyber attacks… As you already know, the City is insured against cyber-attack. We continue to work through that process for the most cost-effective outcome for our residents."

In March, city employees were told to shut off their computers to stop a virus from spreading through the network and encrypting data. A cyber criminal group demanded that the city pay it about $51,000 in bitcoins — a crypto currency that allows for anonymous transactions online.

The city refused to pay the ransom.

For weeks the watershed department could only accept payments at City Hall, and the city’s municipal court had no way of accepting payments for traffic tickets.

The city has yet to reveal the extent of data loss. But two months ago, the AJC and Channel 2 Action News discovered that years of Atlanta Police footage from officers' patrol cars was lost and unable to be recovered after the March attack.

Chief Erika Shields said the lost footage could compromise DUI cases if an officer’s testimony isn’t sufficient. It’s unclear how many investigations might be affected.

Of the $6 million the city has already agreed to spend, the vast majority is paying for security services and software upgrades, according to the confidential report. The city will pay about $1.1 million for new desktops, laptops, smart phones and tablets.

March 23, 2018 Atlanta: Employees at Atlanta City Hall were handed instructions as they come through the front doors to not turn on computers or log on to their workstations on Friday March 23, 2018. Friday's action comes as city officials are struggling to determine how much sensitive information may have been compromised in a Thursday cyber attack. The city has also received demands that it pay a ransom of an unspecified amount, officials confirmed. But officials had yet to make a determination if it would pay the ransom. Hartsfield-Jackson International took down the wi-fi at the world's busiest airport after a cyber attack on the city. The Atlanta airport's website said after the cyber attack that security wait times and flight information may not be accurate. JOHN SPINK/JSPINK@AJC.COM

icon to expand image

Before the attack, the city received years of warnings about security weaknesses.

The city’s independent auditor in 2010 warned that the Information Technology Department “currently does not have funding for business continuity and disaster recovery plans.” In 2014, the city still lacked such a plan.

Another audit released in January found that the department of Atlanta Information Management and the Office of Information Security regularly identified vulnerabilities in the city’s network but not the root causes.

“In one case,” the audit said, “monthly vulnerability scan results indicated the presence of 1,500-2,000 severe vulnerabilities in the scanned population, with a history that went back over a year with no evidence of mitigation of the underlying issues.”

According to a 2017 list of employees in the department of Atlanta Information Management, only two of the department’s 154 employees had the word security in their titles.

The city’s information technology leadership appears to have been overwhelmingly focused on making Atlanta a so-called “Smart City” — a designation for cities that emphasize information and communication technology to enhance public services such as utilities and transportation.

However, several cyber security trade publications in recent months have highlighted how these cities are especially vulnerable to attacks because of massive interdependent computer systems that constantly communicate with each other and often aren’t tested for weaknesses before being deployed.

In the first few months of 2018, the department of Atlanta Information Management’s Twitter page references “Smart Cities” in nearly every tweet.

Just before the attack, the department on Twitter advertises a locally held smart city technology forum titled “Can’t Out-Smart Atlanta.”

“It’s Smart City panel time!” the department tweets on March 15.

It’s next tweet is a video of Atlanta Mayor Keisha Lance Bottoms’ first press conference regarding the ransomware cyber attack.