INDIANAPOLIS — It’s been three weeks since FOX59 broke the story of a ransomware attack on the Indianapolis Housing Agency that shut down the agency’s email and information system and put the personal data of 25,000 residents, vendors and Section 8 landlords at risk.
Thursday morning, IHA finally told landlord April Gartin what’s going on.
“No one notified me. Until this day and until this email, no one notified me and told me anything,” said Gartin as she read the message received from IHA. “I’m saying you’re a day too late. More than a day too late. We should’ve been notified instantly.”
“Instantly” was probably preferable to “late” for Gartin who hadn’t noticed that IHA missed the automatic deposit of its October rent payment into her account until the bank started bouncing her checks for Non-Sufficient Funds.
“I actually have for me a mortgage payment that was not paid so that put me in a bad spot,” said Gartin who racked up $120 in NSF fees. “My payment is due on the 16th of each month and I knew nothing about this until the 18th because I’m thinking everything went through and processed.
“There are people out here who have all these fees occurring and we knew nothing, so ,if we had known, maybe we could’ve put stop payments on our recurring bills.”
Gartin said after more than a week of unanswered phone calls, she received this email from IHA this morning:
Thank you for contacting the Indianapolis Housing Agency.Email sent by Indianapolis Housing Agency
As you know the Indianapolis Housing Agency (IHA) was a victim of a ransomware attack. In a ransomware attack, cybercriminals attempt to disrupt organizations by locking down the organization’s computers and IT systems until a ransom is paid. The IHA attempted to notify our participants, landlords, and the public through all available means. However, we do apologize for the inconvenience this has caused. You may submit your request for late fees and supporting documentation for review. Once the information is reviewed a determination will be made if further payments may be rendered.
“I shouldn’t have heard it through the grapevine that this was going on,” said Gartin who turned to FOX59 for information about the breach. “I seen your interview because of the person who told me about it. I went back and looked at it and I reached out to you because they could’ve handled this a lot better.”
The issuance of an email would seem to indicate IHA has made progress in recovering access to its system.
IHA Interim Executive Director Marcia Lewis turned down a request for an on-camera interview to update the investigation into and recovery from the hack.
Mayor Joe Hogsett’s office would say only that the City’s information systems are separate and distinct from IHA’s and not compromised by the agency’s breach.
One cybersecurity expert told FOX59 that government entities like IHA and school districts are susceptible to cyberthief intrusions.
“They will try to go after organizations that may be low hanging fruit, organizations they know maybe aren’t as well funded,” said Tony Sabaj of Check Point Technology. “We’re seeing a lot of specifically a Russian hacking group go after a lot of public school districts because they know the public school districts are underfunded and they can get information from those attacks, probably similarly with the Indianapolis Housing authority knowing that its probably not the most well-funded organization on the planet. I know its been very well documented over the last couple years about how they’re having budgets and other financial concerns so one of the things a lot of times get cut are the IT and technology and with that will come a cybersecurity budget also.”
For several months Lewis has told the IHA Board of Commissioners that the Agency was essentially out of money and potentially unable to meet its payroll or pay vendors while simultaneously brokering deals to sell off IHA properties to raise funds and pay down debt.
IHA’s admittance that it was the target of a “ransomware attack” would confirm that its server is being held until the cyberthieves can extract a payment from the Agency to release its control.
Hogsett told FOX59 that the FBI is involved in investigating the IHA data system intrusion.
“If they’re paying the ransom, there’s the cost of paying the ransom to get your data unencrypted in a traditional ransomware attack,” said Sabaj. “What we’re seeing be more common is double and triple extortion where an organization will pay the ransom to have their data unencrypted and give their availability back. That same organization will say, ‘Hey, if you don’t pay us again, we’re actually gonna release the information that we stole while we are encrypting your information and you have to pay us again,’ and there’s even an act of triple extortion where sometimes they’ll go after some of the business partners and maybe the vendors that are included in this attack.”
Sabaj said its possible the cybercriminals accessed the system months ago with malware lying dormant until its activation.
“The initial sort of start of the attack could’ve been months ago and nobody noticed or what we kind of call the dwell time of the initial foray into the organization until the time that its blatantly obvious that your machine are encrypted and your systems are down, that dwell time, as we call it, is usually about nine months, so, this could have been happening for the better part of this year based on historical data,” he said. “Restoring from back ups or having to rebuild systems is a very expensive undertaking. The average cost of a ransomware attack for an organization of this size can be upwards of five million dollars, just the response aspect of it, and that’s not even bringing in any fines that may come with it.”
IHA. U.S. Housing and Urban Development and City officials have been reluctant to reveal details about the hack investigation so as not to tip off the thieves to the efforts to recover the server and the information it contains.
“Having it be three to four weeks later usually points to the fact that they’re either restoring from back up and trying to rebuild the systems and get back on line and also making sure that they’re not re-introducing the malware or pieces of the attack that may be contained in back up in sort of gold images of the organization,” said Sabaj. “We know that the FBI is involved too, so, usually when the FBI gets involved, they’re not going to be overly public until the issue is resolved because they could be negotiating with the hackers which are usually not U.S. based people down the road or they’re probably from a non-semi-friendly country, so, they could be negotiating with the actual attackers to maybe negotiate their ransom but most likely they’re probably spending this time trying to restore their systems and make sure they can get back up and running without reintroducing the problem and going back and finding when the actual problem started and trying to rebuild from that point in time.”
“A restore rebuild from scratch or rebuild from back ups for an agency as large as this one, this isn’t a small office with five computers, this is an agency that is serving tens of thousands, 25,000 individual recipients of the benefits but also hundreds of vendors, it could take months to fully restore,” he said. “It could be a matter of months before they’re up and running again and then they also need to take a step back and look at their cybersecurity stance to make sure this doesn’t happen again. If you just go back to the same state you were in before this all happened, you’re probably still vulnerable to this type of attack in the future.”
Sabaj said IHA residents, tenants, vendors and partners should all assume their relevant personal and financial data has been compromised and therefore take steps to monitor and secure their information including reviewing credit reports.
“Usually after a breach like this, the agencies have to pay for some of these services for a given amount of time depending on what the individual laws are,” he said.
April Gartin would like IHA to take financial responsibility for the inconvenience and setbacks its breach has caused her.
“I think they should compensate anyone for any NSF fees when this happened because they had an opportunity to tell us this when it happened,” said Gartin who convinced her bank to waive the NSF fees once the extent of IHA’s hack became known.