The New York Police Department’s database of fingerprints was knocked offline over the weekend thanks to a ransomware scare, according to reports.
The malware was introduced to the network via a contractor who was installing a digital display, according to an article in the New York Post. To do the install, the person (the company has not been identified) plugged a NUC mini-PC into the network, which turned out to be infected with the malware. The installer was questioned but not charged with any crime – suggesting that the incident was inadvertent.
From there, the ransomware rapidly proliferated to 23 other machines connected to the LiveScan fingerprint-tracking system, the NYPD told the Post.
“This incident serves as a reminder that even with good technical controls in place, all it takes for one act of negligence by an employee or contractor such as clicking on a link, or as in this case, plugging in an infected device into the network for trouble to spread rapidly,” Javvad Malik, security awareness advocate at KnowBe4, told Threatpost.
“While most organizations have policies in place that prevent the use of removable media, or define how they should be used, simply having procedure written down is not sufficient on its own. People need to be made aware and frequently reminded of the policies, the requirements, and the risks associated with not conforming to them,” Malik said.
However, thankfully, the ransomware didn’t execute.
Deputy Commissioner for Information Technology Jessica Tisch said that NYPD erred on the side of caution, taking LiveScan offline Friday night and reinstalling software on 200 computers citywide. It also notified the department’s cybercommand and the Joint Terrorism Task Force of the incident.
“By Saturday early morning — I remember it was still dark out — we were bringing the system online,” Tisch told the Post.
The department dodged a bullet, according to Peter Martini, president and co-founder at iboss.
“The catastrophic capabilities of ransomware attacks on public institutions are frankly astounding and if an attack on a major city is successfully carried out, it would likely qualify as a national emergency,” he said in a recent column.
Public institutions are increasingly in the sites of ransom-seeking cybercriminals, with a string of costly ransomware attacks targeting city governments in the past two years. In September, New Bedford, Mass. announced that it was opting to pick up the pieces and restore what it can from backups itself, after attackers demanded a hefty payout of $5.3 million.
In August, 23 Texas entities – the majority of which were local governments – were hit by a ransomware attack that Texas officials said was part of a targeted attack launched by a single threat actor. In May, the city of Baltimore became a victim of ransomware, which halted some city services like water bills, permits and more, with crooks demanding a $76,000 ransom. Meanwhile in 2018, several Atlanta city systems were crippled after a ransomware attack extorted the municipality for $51,000.
Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand Threatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.