The report does not disclose who authored it, nor does it make clear how much of the expenses the city would have incurred regardless of the attack.
But with a potential figure of $17 million, Atlanta’s ransomware attack is one of the more expensive suffered by any local government in the U.S. in 2018.
By comparison, a ransomware attack against Colorado’s Department of Transportation earlier this year is expected to cost $2 million.
"We are pleased with the progress of the recovery efforts. In addition to responding to the criminal attack against the City of Atlanta, we are using this opportunity to make the City more secure," said a spokesperson in an email. "Unfortunately, in today's world, governments are seeing an increase in cyber attacks… As you already know, the City is insured against cyber-attack. We continue to work through that process for the most cost-effective outcome for our residents."
In March, city employees were told to shut off their computers to stop a virus from spreading through the network and encrypting data. A cyber criminal group demanded that the city pay it about $51,000 in bitcoins — a crypto currency that allows for anonymous transactions online.
The city refused to pay the ransom.
For weeks the watershed department could only accept payments at City Hall, and the city’s municipal court had no way of accepting payments for traffic tickets.
The city has yet to reveal the extent of data loss. But two months ago, the AJC and Channel 2 Action News discovered that years of Atlanta Police footage from officers' patrol cars was lost and unable to be recovered after the March attack.
Chief Erika Shields said the lost footage could compromise DUI cases if an officer’s testimony isn’t sufficient. It’s unclear how many investigations might be affected.
Of the $6 million the city has already agreed to spend, the vast majority is paying for security services and software upgrades, according to the confidential report. The city will pay about $1.1 million for new desktops, laptops, smart phones and tablets.
Before the attack, the city received years of warnings about security weaknesses.
The city’s independent auditor in 2010 warned that the Information Technology Department “currently does not have funding for business continuity and disaster recovery plans.” In 2014, the city still lacked such a plan.
Another audit released in January found that the department of Atlanta Information Management and the Office of Information Security regularly identified vulnerabilities in the city’s network but not the root causes.
“In one case,” the audit said, “monthly vulnerability scan results indicated the presence of 1,500-2,000 severe vulnerabilities in the scanned population, with a history that went back over a year with no evidence of mitigation of the underlying issues.”
According to a 2017 list of employees in the department of Atlanta Information Management, only two of the department’s 154 employees had the word security in their titles.
The city’s information technology leadership appears to have been overwhelmingly focused on making Atlanta a so-called “Smart City” — a designation for cities that emphasize information and communication technology to enhance public services such as utilities and transportation.
However, several cyber security trade publications in recent months have highlighted how these cities are especially vulnerable to attacks because of massive interdependent computer systems that constantly communicate with each other and often aren’t tested for weaknesses before being deployed.
In the first few months of 2018, the department of Atlanta Information Management’s Twitter page references “Smart Cities” in nearly every tweet.
Just before the attack, the department on Twitter advertises a locally held smart city technology forum titled “Can’t Out-Smart Atlanta.”
“It’s Smart City panel time!” the department tweets on March 15.
It’s next tweet is a video of Atlanta Mayor Keisha Lance Bottoms’ first press conference regarding the ransomware cyber attack.