Is the Town of Marblehead Keeping Its Data…and Yours…Safe?
Recently, cities and towns in Massachusetts and across the United States learned the hard way that municipal data–including personnel information about town employees and financial records containing residents’ banking and other personal information–had been hacked. Worse, some of the hacks locked down all computer access for these cities and towns until a ransom had been paid.
Once thought to be a farfetched premise for a Jason Bourne movie, such hijackings of private data and demands of ransom for the return of access are becoming more common. And municipalities are paying the price. In Tewksbury last year, a phishing attack resulted in losses of more than $100,000 for the town. While Tewksbury reportedly expects to recoup most of its stolen monies through its insurance carrier, the event was a wake-up call and resulted in a renewed effort to focus on cyber security training and resources. If history is any judge, damages costing millions of dollars are not out of the question. New Orleans city officials worked around the clock for a year to dig out of a cyber attack that ultimately cost the city approximately $5 million and jeopardized its ability to deal with everything from public safety during Mardi Gras to a host of city services.
The Town of Marblehead undertook an assessment toward the end of 2021, completed by Clifton Larson Allen LLP, that examined its finance department. The report concluded that multiple aspects of the town’s financial structure were flawed, some highly. Among those areas that need improvement or even a complete overhaul are the town’s information technology (IT) systems, including both hardware and software. According to the assessment, “[t]he Town’s computers still run Windows 7, for which all Microsoft support ended in January 2020. Continuing to use this operating system is a security liability. In addition, most, if not all, computers and other IT hardware are past the refreshment cycle.” What this suggests is that Marblehead is vulnerable and very lucky that to date it has not faced a frightening and costly situation involving ransomware or stolen data.
Thatcher Kezer, Marblehead’s newest Town Administrator, spoke with Marblehead Beacon. “Today is day four on the job for me,” he said, “and I am looking at things from a twenty-thousand-foot view.” Kezer has a background in cyber security, having been Director of Cyberspace Operators with the National Guard, according to his LinkedIn profile. “I’m not a network engineer,” he noted, his past cyber experience being more directed toward management and policy. Kezer also served as the City of Amesbury’s Mayor for eight years, and, more recently, Framingham’s Chief Operating Officer.
The recommendations within the report to centralize, unify, and update many of Marblehead’s computer processes and systems could mean that Kezer could play an important role moving forward. According to the Town of Marblehead’s website, the Town Administrator “is responsible for the day-to-day operation and oversight of town departments and appointed positions under the jurisdiction of the Select Board.” Following Town Administrator Jason Silva’s departure at the beginning of this year, and the recent exit of interim Town Administrator and Finance Director John McGinn, Marblehead’s Select Board voted unanimously to hire Thatcher Kezer for this role.
Asked whether he’d had the opportunity to review December’s report that highlighted potential danger zones for the town in terms of hacking potential, Kezer said he had not. “I’m making the rounds and flagging the issues to drill down on and get to see what’s broken and what needs to be fixed.” In response to a Marblehead Beacon question regarding whether the prior administration had made mistakes in allowing such IT vulnerabilities to exist, Kezer said, “I can’t speak to anything that happened more than four days ago, but am eager to assess the operations of the town.”
With respect to remedying the more urgent flaws noted in the assessment about the town’s IT systems, Kezer shared that an outside firm had been contracted to begin work on July 1–some six months after the report’s release–to make IT infrastructure changes. Marblehead Beacon asked Kezer if he had seen the contract or knew the scope of work and he said that he had not, but would be seeking it out. Marblehead Beacon has requested this as well as other documents pertaining to the planned fixes.
As to whether the proposal by the outside firm includes overhauling software so that it may be patched and updated regularly as needed according to the audit, Kezer said, “my sense is yes, but I haven’t seen the proposal yet. The audit will be a guidepost, but even without it, we need to make our systems safe for things like Social Security numbers and other data.”
According to a Marblehead resident who works as an executive in the IT security arena, and who asked not to be named, “In the past I have offered my services, free of charge, to the town, but have not been taken up on my offer. I am concerned about my own data as well as that of the town,” he said. “We as town residents pay our bills and provide our banking information to various departments’ billing systems,” he noted. “No platform is the same–from gas to electric bills.” Additionally, hundreds of municipal employees presumably have their personal payroll and performance information stored on potentially insecure platforms. Meanwhile, according to the Clifton Larson Allen audit, “[t]he Finance Director is also the IT Director for the Town and must respond to and solve any IT problems that might come up. This ranges from implementing new software to fixing servers to resetting passwords.” All this makes for what appears to be–at best–a highly inefficient system and–at worst–a breach waiting to happen.
With more than 150 different bank accounts owned by town departments and accessed regularly by people who should not–according to the audit–be permitted to have access, and with a computer system that is so old that it can no longer be patched or get support from Microsoft, the audit underscores the gaps that leave the town vulnerable. “Our town’s onboarding and offboarding processes are so weak that there is no consistency in the timing of shutting off access to town computers once an employee leaves,” according to the resident with expertise in IT. “We literally have no viable anti-virus software and no ability to allow for multi-factor authentication.” The litany of issues with our town’s computer systems should be at the top of the list of must-get-dones, he noted, and said that as things stand, the town is a “hacker’s dream.”
According to the Washington Post, “[c]ities that are unable to recover on their own have been forced to pay hundreds of thousands of dollars to cybercriminals to unlock their computers. The FBI discourages such payments, but officials acknowledge they may be necessary in some cases.” We do not want to be in such a position, said the Marblehead resident and IT specialist. “And it’s preventable, but we have to put security in place, which will cost money.”
Kezer was asked about whether he would be open to hearing from IT specialists who live in the community such as the individual who spoke with Marblehead Beacon. “It makes sense to have vendors with whom we have a contractual relationship” be the ones who do the work, but Kezer did note that he is certainly open to such input and guidance from local experts about possible weaknesses.
Earlier this week, Marblehead Beacon learned there may have been repeated phishing attempts on employees of the Marblehead Public Schools. Stephen Kwiatek, Director of Educational Technology, was contacted to verify if this had, indeed, happened. “Nothing was breached,” he noted. “It did happen, and it happens to everyone, not just here. Some employees did click on the phishing emails but we were able to reset passwords and make sure no personal data had been compromised.” The offending emails looked normal and had no attachments, said Kwiatek, just a link for people to click on, which some unfortunately did. Asked if the IT Department runs training programs for employees on matters like phishing and other cyber risks, he said that it is something he plans to implement in the future, as there is no formal security awareness training right now. He has, however, sent emails to employees regarding red flags in emails.
Stay tuned for updates to this story.
1/19/2023 Editor's Note: The word "audit" has been changed in several places to the word "report" or "assessment," as it it was not technically an audit. The word "audit" remains where it was used in a quotation.