On June 6, 2019, the Lochem municipality discovered that its ICT system had been hacked. Investigations do not show that personal data of residents were viewed, stolen or altered in the municipality's hack. However, their approach does show that the perpetrator(s) were very sophisticated. The attack focused on encrypting large portions of records and demanding a ransom. A data breach of company data has been reported to the Autoriteit Persoonsgegevens.
This is what the digital forensic investigation by Netherlands Forensic Incident Response (NFIR) commissioned by the Lochem municipality revealed. The municipality has shared the results of the forensic investigation with the police to aid the ongoing criminal investigation.
NFIR investigated all available leads. Trying to move forward in small steps over several months allowed the attack to go undetected. The step to actually encrypting much of the data was only small. In preparation, ransomware had already been digitally abandoned.
In addition, Lochem decided to commission a comprehensive penetration test to actively look for weaknesses in its ICT systems. From this came 64 findings. These contain points of improvement for the municipality, but also for our suppliers. Follow-up of these points for improvement has started immediately.
Finally, security expert Brenno de Winter was asked to assist in combating the crisis and write an interpretive report. He concludes that Lochem "crawled through the eye of the needle," because encrypting data could have caused tons of damage. However, the municipality did incur incidental, unbudgeted costs.
De Winter warns that this attack could affect many businesses and municipalities. And that other examples from equally large municipalities teach that successful hostage operations can cost tons. This is why technical measures are needed and how to cope with the lightning-fast developments in the world of cybercrime.
Despite no resident data being affected, a data breach has occurred. The attacker(s) likely accessed username, name and email address of employees and council members of the Lochem municipality. Because this is a data breach, it has been reported to the Autoriteit Persoonsgegevens. Employees and council members have been informed.
Mayor Sebastiaan van 't Erve: "Data are the lifeblood of our work as a local government. Data must be safe with us and can be entrusted to us digitally without question. From this interest I had this hack investigated. Learning from incidents helps with resilience and reduces the chance of recurrence. We literally crawled through the eye of the needle. Information security and the rapid organization of operational deployment must be high on the agenda of government and business. I am grateful to all parties involved for their efforts during this incident. I am glad we were able to prevent worse. I am happy to share our lessons with others. The Information Security Service supports municipalities in this".
Because there is investigative information in the reports, a management summary of the forensic investigation was created to share as much as possible with everyone. The findings of the Municipal Information Security Service are fully public. Except for findings around detection, De Winter's report is public.
Management summary research - NFIR
Note Consideration incident management municipality of Lochem - IBD
Clarity report - Brenno de Winter
This article can also be found in the Data Breach file
