A city in California didn’t disclose a ransomware payment for more than two years after its insurer covered the cost, the city manager acknowledged amid yet another ransomware attack on the municipality.
In 2018, officials in Azusa, Calif. paid $65,000 through its insurer Brit to free up its most vital system and used a free decryption key to unlock the others, City Manager Sergio Gonzalez said. The hackers took control of the city’s police dispatch system for more than a week in the fall that year, he said.
State-by-state data breach notification laws have different triggers for when hacking victims must report publicly on what happened. “We did not make a public statement and did not have to file anything legally because we could confirm that no data was migrated out” of police servers, Gonzalez said, according to local new accounts.
In an interview with CyberScoop, Gonzalez said the city — near Los Angeles with a population of more than 45,000, as of the 2010 Census — did report the attack to other local governments and anyone who needed to know under the law, which is focused on theft of sensitive personal data.
“There was nothing that we hid,” he said. “You don’t call your car insurance company and say, ‘I almost got into a car accident.'”
In the newest incident, which surfaced in March, the DoppelPaymer gang was responsible. The attackers, on the dark web, published the data they claimed they obtained. Gonzalez said the culprits in the 2018 case weren’t clear.
In the newest incident, however, Chubb balked at paying a $800,000 ransom demand citing a warning from U.S. Treasury, Gonzalez said. Azusa didn’t immediately disclose that incident, either, as California’s law has a provision saying that public disclosure isn’t required when it could interfere with a law enforcement investigation.
Chubb did not respond to a request for comment.
The back-and-forth is another example of the will-they-or-won’t-they dynamic that’s come up repeatedly with the cyber insurance industry. French insurer AXA recently decided new policies would not cover ransoms to criminal gangs, some insurers are hesitating to provide coverage and premiums are rising.
Gonzalez said the thought had entered his mind whether the earlier payment backfired, given the second attack. But he said it was short-sighted to focus on blaming state and local governments who are victims of ransomware attacks.
Instead, he said the question should be, “How does the federal government provide support to state and local municipalities so they become a harder target?”
Updated and corrected, 6/15/21: A previous version of this story incorrectly stated Chubb provided insurance in 2018 for the first incident. Gonzalez said Chubb was the city’s insurer in 2018, but subsequently updated that it had been Brit.