For Tops Staffing, a suburban Pittsburgh company with workers across the nation, the cyberattack shook the business like few other events.
Employees were locked out of their computer files, while attackers targeted Social Security numbers and other personal data, sending the business into a tailspin for days to gain control of some of its most critical information.
The company contacted the FBI and scrambled to get back online. Susan C. Dietrich, the principal owner and president, called the situation “one hell of a problem.”
But in an era when experts believe greater transparency about such attacks is crucial to combating ransomware – a pernicious and often lucrative brand of cybercrime – the attack in June remained largely secret for months until the company sent letters to workers.
“It was a huge mess,” one former employee said.
The crisis at the staffing and recruiting firm underscores the dangers that unfold each year in Pennsylvania that have cost victims millions of dollars in clashes rarely revealed to the public, the Pittsburgh Post-Gazette found.
There’s no state law that requires businesses to alert any Pennsylvania regulator about the increasingly dire threat of ransomware attacks, which have been blamed for disrupting – and crippling – gas pipelines, health care systems, government offices and institutions of higher education.
Victims over the past six years include Philadelphia’s mass transit agency, Pittsburgh TV station WPXI, the Allegheny Intermediate Unit, state Senate Democrats and even the Allegheny County district attorney’s office, which paid a $1,400 ransom.
FBI data shows that Pennsylvania led all other states in ransomware losses in 2020 – more than $5 million – spread among 116 victims, but national experts say those numbers are likely an undercount.
The FBI doesn’t disclose information about the targets of the attacks, but because of transparency laws in states such as Maine and Massachusetts, information of the attack on Tops reached the public.
Because some Tops employees lived in those states, the laws mandated the Pennsylvania company alert Maine’s attorney general and Massachusetts’ office of Consumer Affairs and Business Regulation about the crisis.
In Massachusetts, four people were affected; in Maine, only one. But one was enough.
Marc Malon, a spokesman for the Maine attorney general, said he was surprised that details about a Pennsylvania attack were not openly shared, while praising his state’s robust consumer laws and reporting requirements – even if they end up safeguarding a single resident.
“If you think about the impact that could have on someone’s life, the hardship it causes, the disruption it causes, we think it’s worthwhile,” Malon said.
In Pennsylvania, companies must notify people that their personal information might have been compromised, but former Tops workers who agreed to talk to the Post-Gazette said they were riled that it took five months.
For its part, the company said its internal inquiry ended in October – four months later, according to Maine records. “The only thing I can tell you is that those investigations take time,” said company CEO J. David Cepicka, Dietrich’s brother.
On the rise
Across the nation, cyber assaults are on the rise. Just last month the U.S. Treasury Department estimated that suspicious financial transactions stemming from the invasions hit $398 million in the first half of this year – compared to $527 million in all of 2020.
One of the most serious attacks took place in May, when the ominously named DarkSide, a transnational gang, shut down the Colonial Pipeline, which runs the nation’s largest fuel pipeline.
Gas shortages and panic followed up and down the Eastern Seaboard, and the company paid a $4.4 million ransom. The government deemed the threat so critical that last month the State Department offered a $10 million reward for information about the group’s ringleaders.
Also struck this year: JBS, the world’s largest meat processing company, which paid $11 million to get its data back; and the Washington Metropolitan Police Department, which refused to negotiate a ransom in a leak of thousands of sensitive documents stolen from the agency.
Former workers at Tops blamed what they described as a lax approach to cybersecurity and said the company banked on being able to reboot its system, but found out the hard way that it wasn’t so easy.
“Their strategy was very simple. They were going to delete the server, outsmart the hackers, reinstall from a backup and all would be solved,” one former worker said.
But, ex-employees said, the hackers invaded the backup system, too.
Cepicka refused to divulge anything about the ransom demand or whether it was paid, how the attack was carried out or what kind of financial hit the company took.
The desire to keep details about ransomware attacks private is not unusual, even for public institutions, but experts say a lack of transparency is not good when trying to mount defenses against malicious actors.
A day before Thanksgiving, Butler County Community College learned of a ransomware attack that began five days earlier. The cyber assault disabled systems and led to the cancellation of classes and shutdown of its campus until Dec. 6.
“We understand that the ongoing IT situation is deeply frustrating,” the college posted on its website, declining to reveal much more. If the school had not spoken publicly about the breach, it’s not clear when or how the scant details it released would have come to light since no records were disclosed.
Even years later, the Allegheny County district attorney’s office declined “for security reasons” to discuss details about a 2015 ransomware attack on a single computer in its office. It opted to pay a cryptocurrency ransom worth roughly $1,400.
That incident was reported only after federal prosecutors revealed that the DA’s office was one of several local victims of an international cybercrime network known as Avalanche.
James Lee, chief operating officer of the San Diego-based Identity Theft Resource Center, took aim at the lack of transparency laws across the country that govern how people are alerted to ransomware attacks – and how much needs to be revealed.
“Our notification system is broken. There’s no question. It’s broken, it’s inefficient and it’s ineffective,” Lee said.
“It’s a state-by-state system where every state defines personal information differently. They have different requirements for when you notify someone, how you notify them, if you notify them.”
That means there’s no uniformity in how a single ransomware attack that affects people in multiple states is handled. Victims’ rights differ depending on where they live.
“That’s not fair,” Lee said, pointing to the disparity between Maine and Pennsylvania. “That’s because Pennsylvania’s is a weak law, Maine’s is a strong law.”
Josephine Wolff, a Tufts University associate professor of cybersecurity policy, noted that while states mandate disclosure to people if their private data has been compromised, ransomware reporting requirements are almost nonexistent in the U.S.
“This is a massive issue both in terms of transparency for individuals who may be affected, but it’s also a massive policy issue because we don’t really have a sense of the scale of this problem, how often it’s happening, how many of these businesses are being hit,” Wolff said.
No sector immune
In a ransomware attack, shadowy thieves reach out through cyberspace, creep into computer systems and prowl around for valuable data.
To get in, they might dupe unsuspecting users to click on a dangerous link in an email. Sometimes they exploit employee carelessness to gain access. Or they could probe for weaknesses in systems with old software that hasn’t been updated with security safeguards.
The attackers, often organized into gangs, strike thousands of victims each year – and no sector is immune.
Ransomware attackers encrypt data, essentially locking it behind virtual bars, and sometimes leaving the victims with ransom messages on their computer monitors or directing them to a website with demands and instructions.
If victims want to unlock files, folders and emails to regain use of their computers, they must pay a ransom in cryptocurrency, such as Bitcoin. And if the ransom is paid, the attackers might provide a key to unlock the data.
There’s no guarantee, though, said Timothy J. Shimeall, a senior member of Carnegie Mellon University’s Software Engineering Institute’s CERT division.
An entire nefarious industry has sprung up, with coders selling malware, brokers handling money laundering and the criminals who demand the ransoms. There are even businesses that specialize in negotiating with hackers to lower their ransom demands.
And more and more often, the attackers threaten to post the stolen data online on the dark web in what’s known as double extortion.
Make no mistake, Shimeall said: Ransomware is a dangerous, well-practiced criminal enterprise.
“They’re not teenagers sitting bored in a bedroom,” he said. “This is more like the old-time gangs that say, ‘Pay us or you won’t like what happens to you.’ The thugs that are forcing the network to pay protection money, they’re not at all upset about burning down your business.”
In a highly disruptive attack on Clearfield County this year, criminals hacked into the computers and demanded a payment in six figures. They also released data online, but most of it was unimportant – like court papers – and amounted to “a big nothing burger,” said County Commissioner Dave Glass, who added that nothing was paid.
But that’s not always the case. Trade secrets and crucial competitive data could be at stake, which is what happened to Polish video game company CD Projekt Red earlier this year. Ransomware culprits threatened to leak online source codes for some of its games, and in June the company said it believed that had happened.
Without knowing the true extent of ransomware attacks and what defenses work best, it’s difficult to forge strategies and promote best practices, experts said.
“We don’t have a lot of data about the best ways to protect against it,” according to Wolff, of Tufts. “We’re kind of blind when it comes to trying to figure out what we should be recommending to businesses. We don’t have a lot of empirical data to support what reduces risk.”
Ransomware victims leery of revealing attacks have predictable reasons for keeping quiet.
“Why would you tell anybody?” Wolff said. “It’s embarrassing, it’s bad for business, it opens you up to lawsuits.”
But that silence might not serve the greater good.
As far as mandatory disclosures, Wolff said this: “That’s going to come when the ransomware attacks are so significant and so severe that we’re taking them seriously in Washington. I think you’ve seen the first hints of that in Colonial Pipeline.”
In July, the Biden administration unveiled the StopRansomware.gov website, described as a “one-stop hub for ransomware resources for individuals, businesses, and other organizations.”
In announcing the tool, the administration said attacks on small businesses, which make up roughly 75% of all ransomware cases, are often unnoticed.
“Like most cyber attacks,” the government said, “ransomware exploits the weakest link. Many small businesses have yet to adequately protect their networks . …”
State Sen. Kristin Phillips-Hill, a York County Republican, agrees that it’s important to know the true scope of ransomware attacks. But before tackling the issue in the private sector, she said she’s intent on getting the government’s house in order.
To that end, the senator has proposed a bill, currently in committee, that would mandate an annual ransomware report by the state to the Legislature about attacks on commonwealth agencies.
The bill also would bar such victims from paying a ransom using tax dollars, a tactic favored by some experts.
The office of TOPS Staffing and Resource Group are seen on Wednesday, Feb. 14, 2018 in Plum. (Lake Fong/Post-Gazette)
Pennsylvania is one of the top states for data breaches, the FBI says. METROGRAPHICS