By Gary Warth | [email protected] | The San Diego Union-Tribune
Four months ago, the city of Santee "experienced a data security incident involving the theft or encryption of company property," according to an attorney hired by the city, which subsequently awarded a $603,000 contract to a company that deals with ransomware to attempt to recover the stolen data.
Since then, city officials have revealed little about the investigation, what data was involved or whether there was a demand for ransom. "I can't really say anything about that," Santee City Manager Marlene Best said.
Best also said she could not give a timeline for when the investigation into the cyber incident might wrap up.
"We're still working on some of that process, and realistically we're doing good," she said, reiterating that there were no public safety concerns. "I don't have anything else I can tell you on that topic."
The only official statement issued from the city came in September and said the cybersecurity incident, which occurred Aug. 20, impacted the computer network that services administration offices for the city.
"There was no impact to any systems that support 911 services, and the outage did not cause any public safety issues," the statement read. "The City remained open for business throughout the entire incident, and we have largely resolved the issue."
The two-paragraph statement referred to "certain third parties" that are helping address the incident, and concluded with a broad prediction about when the investigation would complete.
"The City is continuing to evaluate the information that may have been compromised," it read. "We expect our investigation will conclude over the following weeks or months. We want to thank our employees and our community for their patience and understanding while we addressed the issue."
Three days after the incident, on Aug. 23, the city signed an agreement with Coveware, which describes itself as ransomware recover first responders, and awarded the company a $603,000 contract.
The San Diego Union-Tribune requested a copy of the contract, but was initially denied with an explanation that it involved an on-going investigation and the documents were protected from disclosure by attorney-client privilege. The city later released a heavily redacted copy of the agreement after being contacted by the newspaper's attorney.
Part of the contract that was not redacted read that the company had been hired "in order to attempt to recover property."
A professional in cybersecurity said he could not tell exactly what Coveware was doing for the city based on what he could read in the contract.
"In this case, we don't know what the services being provided are, as they're redacted," said Luke Connolly, a threat intelligence analyst with the New Zealand-based cybersecurity software and consulting company Emsisoft.
Responding by email, Connolly wrote that cyber criminals, also known as threat actors, typically will steal data and demand a ransom for their return.
The encryption holding the data hostage could be defeated in a few ways, such as a clever technician discovering a mistake made by the threat actor or law enforcement finding a way to free the data, Connolly wrote. Another solution outlined by Connolly is to pay the ransom.
"Without more information we're just speculating, but we do know that the cost was $600k, which seems like a large sum for at least a couple of the options," Connolly wrote.
In another type of extortion, a threat actor who steals sensitive data that could be harmful or embarrassing if released will demand money to keep the data concealed.
"I'll note as long as organizations continue to make ransomware payments to the criminal gangs, the gangs will continue to look for and find new victims because they follow the money," Connolly wrote. "If the money were to dry up because no one met their extortion demands, the TAs (threat actors) extortion activity would most likely drop off precipitously."
In 2021, Scripps Health was hit with a cyber attack. At the time, the health care system also was not forthcoming with details of the incident, including whether hackers were threatening to release sensitive data or were demanding money to return the encrypted data. In May 2024, Palomar Health Medical Group was the victim of a cyber attack that shut down its computer systems, including digital phone services, making electronic medical records inaccessible for months and forcing staff to document everything from appointments to prescriptions with pen and paper.
Health care systems have become a frequent target of cyber attacks in recent years, with incidents more than doubling between 2022 and 2023, according to the Cyber Threat Intelligence Integration Center. An attack on Change Healthcare in February left patients across the country unable to fill prescriptions and doctors unable to bill insurance providers.
After health care, government is considered the second most-frequent target of cyber attacks across the country.
In Texas, the city of Borger had to operate its water supply manually because of a cyber attack in 2021, while computer systems in 22 small Texas towns were held for ransom in a 2019 hack. New Orleans, New York and many other cities have reported cyber attacks and ransom demands in recent years.