New York City’s Law Department holds some of the city’s most closely guarded secrets: evidence of police misconduct, the identities of young children charged with serious crimes, plaintiffs’ medical records and personal data for thousands of city employees.
But all it took for a hacker to infiltrate the 1,000-lawyer agency’s network early this month was one worker’s pilfered email password, according to a city official briefed on the matter.
Officials have not said how the intruder obtained the worker’s credentials, nor have they determined the scope of the attack. But the hack was enabled by the Law Department’s failure to implement a basic safeguard, known as multifactor authentication, more than two years after the city began requiring it, according to four people with knowledge of the legal agency’s system and the incident.
The intrusion interrupted city lawyers, disrupted court proceedings and thrust some of the department’s legal affairs into disarray. And on Tuesday morning, in a conference call, Mayor Bill de Blasio admonished the heads of city agencies to shore up their cyberdefenses or face consequences in the event their agencies were hacked, according to three people who were on the call.
The mayor’s warning to the agency heads comes 10 days after the city’s Cyber Command, created by de Blasio in 2017 to defend the city’s computer networks, detected unusual activity on the Law Department’s computer system.
The next afternoon, June 6, city officials have said, they removed the department’s computers from the city’s larger network. Many remain disconnected.
De Blasio, in public appearances last week, said that the hack was under investigation by the New York City Police Department’s intelligence bureau and the FBI’s cyber task force. He said officials were not aware of a ransom demand being made or of any information being compromised.
Officials also said there was no evidence that the attack had damaged the city’s computer systems, though the investigation was still in an early stage. Investigators are still trying to determine the identity of the perpetrator and the motive.
“We’ve identified the malware — we have seen it before,” John Miller, the Police Department’s deputy commissioner for intelligence and counterterrorism, said at a news conference.
“Is it someone looking to corral information, export it and then do a ransomware attack?” Miller said. “Is it another kind of actor looking to gather information for other strategic purposes?” Both were possibilities, Miller added.
A City Hall spokeswoman and a spokesman for the Law Department both declined to comment Thursday.
Multifactor authentication, a measure familiar to many who work on computers at home and at the office, requires users logging into sensitive accounts to take at least one additional step to verify their identities, like entering a temporary numerical code sent to a user’s cellphone.
The tool has been widely adopted in recent years, cybersecurity experts say, as hackers increasingly target government, business, hospitals and infrastructure using stolen passwords and other credentials. This allows them to penetrate computer systems to disrupt operations or steal data, which can be used to demand a ransom.
The vast majority of ransomware attacks taking over American towns, cities and hospitals were made possible because the targets failed to turn on multifactor authentication, cybersecurity experts and officials said. Hackers exploited the lack of multifactor authentication to force the shutdown of the Colonial Pipeline in May and in an attempt to poison the water supply in a small Florida town in February 2020, officials have said.
Diligent hackers have found ways to bypass multifactor authentication on software used by the Pentagon and many Fortune 500 companies. But cybersecurity experts say its use is still one of the simplest ways to significantly reduce the odds of a successful attack.
In an urgent memo earlier this month, the White House urged American organizations to use multifactor authentication, in addition to other safeguards like backing up data.
A directive issued by New York’s Cyber Command in April 2019 required all city agencies to use multifactor authentication for access to restricted or sensitive information, according to a copy of the document obtained by The New York Times.
Geoff Brown, head of Cyber Command and New York’s chief information security officer, acknowledged at a news conference last week that the city had issued such a directive, but he refused to answer a question about whether the Law Department used the tool.
“At this time answering questions about the protection of city systems could give the attacker insight” into the city’s internet technology or the ongoing investigation, Brown said.
The Law Department’s servers ran on Microsoft software released in 2003, which the company stopped providing critical security updates for in 2015.
The failure to update software makes municipal systems a ripe target for hackers who simply scan the internet for unpatched software and exploit it. The Florida water treatment plant hacked last February also used a decade-old version of Microsoft Windows that had not been updated in years.
In his phone call Tuesday with city agency heads, de Blasio cited multifactor authentication and up-to-date software as priorities that needed to be addressed immediately, according to the officials who participated in the call.
Katharine Rosenfeld, a lawyer who in one case represented a pregnant woman who sued the city after being handcuffed while she was in labor, said the security lapses revealed the Law Department was “scarily sloppy” in its handling of confidential information.
“Think of all the medical records that we give them of our clients, mental health treatment, settlement negotiations,” Rosenfeld said. “It just makes me very worried.”
The disabling of the Law Department's computer system after the attack has had an impact that has rippled through New York courts, slowing cases and forcing city lawyers to ask for extensions on deadlines.
“While the undersigned has recently regained remote access to email,” one city attorney, James Jimenez, wrote to a Brooklyn federal judge on Tuesday in a false-arrest lawsuit, “I am still unable to remotely access any case files or documents.”
In federal court in Manhattan, the attack fueled a dispute in a set of high-profile lawsuits accusing the Police Department of using excessive force and making unjustified mass arrests during the demonstrations in New York last year after the murder of George Floyd by a Minneapolis police officer.
Plaintiffs’ lawyers have complained that the Law Department, citing the hack, has refused to say when it will turn over critical documents that the lawyers say they need to investigate what they have called the city’s “brutal response” to the large-scale protests.
The Law Department has accused the plaintiffs’ lawyers of using the hack to “engage in gamesmanship” and of suddenly deciding that “now is a good time to inundate defendants with a barrage” of new document requests, a city lawyer, Dara L. Weiss, wrote to the court last week.
Weiss said that despite the “technological challenges,” the hack had not halted progress in the case.
“Defense counsel have not been sitting on their hands,” Weiss added.
By Ashley Southall, Benjamin Weiser and Dana Rubinstein
c.2021 The New York Times Company