The office of Illinois Attorney General Kwame Raoul admitted last week that it was the victim of a ransomware attack that included the theft and publication of agency files. The announcement arrived about three weeks after a data breach was first detected and just a few months after the office was warned of its vulnerabilities.
In a news release Thursday, Raoul’s office said that the stolen data may include people’s names, addresses, Social Security numbers, tax information and other sensitive information, and that the full scope of the attack is still being assessed. Files belonging to the attorney general’s office first appeared April 10 on a website affiliated with the DoppelPaymer malware, which has also victimized local government organizations, such as Torrance, California.
“While we do not yet know with certainty what was compromised in the ransomware attack, we are working closely with federal law enforcement authorities and outside technology experts to determine what information was exposed, how this happened, and what we can do to ensure that such a compromise does not happen again,” Raoul said in a press release.
Technology systems in Raoul’s office are independent from the rest of Illinois’ state government, which was not affected by the breach, Gov. J.B. Pritzker said on Friday.
But the attorney general’s office had been made aware earlier this year that its networks were susceptible to incidents like ransomware when a February report from the Illinois Auditor General found it to be following weak cybersecurity practices. The audit, which covered a two-year span ending June 30 last year, found that the attorney general’s office “had not implemented adequate internal controls related to cybersecurity programs and practices.”
The office failed, auditors wrote, to conduct formal risk assessments or classify its data to better protect it. The AG’s office also did not appear to be following any formal security framework, such as the guidelines offered by the National Institute of Standards and Technology.
“The lack of adequate cybersecurity programs and practices could result in unidentified risk and vulnerabilities which ultimately leads to the Office’s confidential and personal information being susceptible to cyber-attacks and unauthorized disclosure,” the audit read.
In its response, Raoul’s office wrote that both the COVID-19 pandemic and “competing priorities” within its IT division delayed the completion of a risk assessment, though it said it would “regularly conduct” such reviews going forward. The office also reported that it applies “multiple layers of security” to its networks, including application-level security and monitoring, “stringent” authentication requirements, firewalls, continuous vulnerability scanning and intrusion detection.