83.6 F
Spring Hill
Thursday, November 14, 2024
HomeBusiness & CommunityCounty Evades Question on Ransomware Payment

County Evades Question on Ransomware Payment

- Advertisement -

The Hernando Sun reached out to the county to find out if they paid the ransom on the recent ransomware attack or if someone on their behalf paid the ransom. The response from Dominique Holmes, Hernando County Government Public Information Officer, was to reference several statutes and deny the request. Her response is below.

“The public records request below is confidential and exempt from public disclosure pursuant to the following statutes:
Section 119.0713(5), Florida Statutes
Section 119.0725, Florida Statutes
I am sure you are also aware of the statue 282.3186.”

The first statute cited, 119.0713 (5), allows the withholding of information that “if disclosed, would facilitate the alteration, disclosure, or destruction of such data.” The second statute cited, 119.0725, relates to an incident and allows the government to not disclose “Coverage limits and deductible or self-insurance amounts of insurance or other risk mitigation coverages acquired for the protection of information technology systems, operational technology systems, or data of an agency.” The final statue states, “a municipality experiencing a ransomware incident may not pay or otherwise comply with a ransom demand.”

Reading these laws, it still might have been possible for the county’s insurance to pay the ransom.
The lack of a response is not indicative of an affirmative since they have denied most of our public records requests. The county initially refused to say whether the IT outage was due to a breach or other type of failure. They cited that there was an active investigation and, therefore, they were not required to provide information on the incident.

- Advertisement -

The rules are different for private entities. The FCC requires that “covered entities must file individual, per-breach notifications for any breaches affecting 500 or more customers (or an indeterminable number of customers). Notice must be provided within seven business days after reasonable determination of a breach.” The SEC requires notification in four business days after a public company determines that they are the victims of a breach.

Whether or not there was a breach is important information for the county’s residents since a breach with information for sale on the dark web means that residents should be taking extra time to review their financial information. Credit cards could be fraudulently used, credit applications could be fraudulently applied for (especially for people who provided W-9 information to the county).

The Hernando Sun managed to find an auction on the dark web and confirmed that data was exfiltrated from the ransomware attack. Up to that point, the county had refused to confirm that it was a ransomware attack and if data was taken.

Rocco Maglio
Rocco Magliohttps://www.roccomaglio.com
Rocco Maglio is a co-founder of the Hernando Sun. He grew up in Brooksville and graduated from Hernando High. He then worked in technology for starting in the early 1990s. He was fascinated by the potential of the Internet even though at the time there were not graphical browsers. He recently earned a Master of Science in Information Technology with a specialization in Cybersecurity.
RELATED ARTICLES

Subscribe to our newsletter

To be updated with all the latest news, offers and special announcements.

You can unsubscribe at any time by clicking the link in the footer of our emails. For information about our privacy practices, please visit our website.
We use Mailchimp as our marketing platform. By clicking to subscribe, you acknowledge that your information will be transferred to Mailchimp for processing.

Most Popular