The hack of state government computers came a few months before a high-profile assault on the city of Atlanta's networks in March, when hackers sought a $50,000 ransom. The city's courts couldn't process ticket payments, the airport's Wi-Fi service was taken offline and city employees were told not to turn on their computers. Officials say there's no indication the two attacks were linked.
Georgia officials acknowledge they can’t always stop hackers, so they bought insurance to protect the public from the costs of inevitable breaches.
“We as a state are always trying to work to minimize any risk of a cyber attack. We know this is happening all around us,” said Rebecca Sullivan, assistant commissioner for the Georgia Department of Administrative Services. “The Legislature recognized that we are all vulnerable to cyber attacks.”
The city of Atlanta is also using cyber insurance in response to its ransomware attack.
The Atlanta government, which is under investigation for its compliance with Georgia's open records law, denied a request from The Atlanta Journal-Constitution for the value of its cyber insurance policy with AIG.
Unlike the state government, city officials redacted liability coverage amounts from insurance documents, citing undefined security concerns.
The malware attack instantly crippled computers at the Georgia Department of Agriculture.
Employees saw a message on their screens saying all their files were encrypted, and they would only be unlocked by paying one bitcoin per affected computer, or three bitcoins for all computers. At the time, a bitcoin was valued at more than $16,000, meaning the total cost to pay off the hackers would have exceeded $48,000.
After the attack, the state contacted its cyber insurance company to bring in a team to handle the problem, said Steve Nichols, Georgia’s chief technology officer.
“When you have these events, time is of the essence and you need experts to help you,” Nichols said. “We figured out what happened, stopped the bleeding and figured out our instant response plan.”
The government didn’t lose control of personal or business data as a result of the attack. The hackers simply wanted a quick payday, he said.
It cost $253,000 for the state to recover from the attack, said Julie McPeake, an Agriculture Department spokeswoman. The costs covered remediation work, investigations and consultants. Little is known about the identity of the attacker.
“GDA regarded paying the ransom inappropriate and therefore it was never an option,” McPeake said. “In addition, the requested ransom only accounted for the key to the hacked information. It did not include the cost of the additional work that would still needed to have taken place such as forensics and remediation.”
The infection penetrated government computers by scanning public-facing services and finding vulnerabilities, she said.
As a result, the Agriculture Department upgraded equipment, reviewed protocols and implemented new technologies to increase protection, she said.
Other state departments used similar computer systems, Nichols said. He said the government has strengthened its technology security but wouldn’t comment on specifics because of concerns that information could help hackers.
Georgia Department of Agriculture websites went offline after a malware attack Dec. 11, replaced with a message asking for patience until the issue was resolved. A team of technicians and investigators erased and reloaded 60 computers that had been infected by malware. The sites were back online 11 days later.
Governments and businesses are increasingly buying cyber insurance policies in the wake of many high-profile breaches, said Ryan Spelman, senior director for business development at the Center for Internet Security, a nonprofit organization that provides resources for cyber threat protection and recovery.
In one of the highest-profile attacks, Atlanta-based Equifax exposed the personal information of at least 143 million Americans last year.
Georgia’s large cyber insurance policy puts it ahead of most other state governments looking to protect public data, Spelman said.
“Every state is looking at cyber insurance,” Spelman said. “They all have some sort of plan about how they cover this cost in case something happens.”
Without cyber insurance, governments would have to pay the costs of an attack through general funds. Those costs could quickly rise into the millions of dollars if there were a major breach.
In South Carolina, a breach in 2012 exposed the personal information of nearly 4 million taxpayers and 700,000 businesses, costing the state at least $27 million for computer security upgrades and credit monitoring services.
That attack got the attention of government officials across the country, Nichols said.
“These sorts of black swan, very rare events are the main reason people go out and get cyber insurance policies,” Nichols said. “Other states are going to recognize that they’re underinsured, and they’re going to move to correct that.”
Georgia's policy is large because it covers more than 100 agencies — almost every branch of state government besides higher education, Nichols said.
A breach could cost the government about $165 per record, potentially resulting in “astronomical numbers” if a large number of people were affected.
Under Georgia's cyber insurance policy, the state is responsible for the first $250,000 in costs, leaving the insurance carrier responsible for the excess amount — an estimated $3,000 in the case of the Agriculture Department. The state's insurer for the first layer of coverage is XL Catlin.
Like any insurance policy, it’s meant to mitigate the costs of expensive and unexpected problems, Spelman said. Governments should also do their best to protect themselves so they never have to depend on insurance.
“If you can build yourself strong enough so that you never have to use it, it’s just peace of mind,” Spelman said. “You don’t want to have to file a claim.”
How we got the story
Georgia officials didn’t disclose much information about the December ransomware hack of the state Department of Agriculture while the incident was under investigation.
The Atlanta Journal-Constitution filed monthly requests for reports and findings related to the hack under the Georgia Open Records Act, but the department denied each of those requests based on an exemption to the law for ongoing investigations. After the investigation ended, the department wouldn’t release its final report last month, citing attorney-client privilege.
But Georgia officials agreed to answer questions about the hack.
Officials and public documents revealed the ransom note, the type of malware and information about Georgia’s $100 million cyber insurance policy, which is believed to be the largest of any state in the nation.