Lafayette officials announced the city was hit with a ransomware attack on the city’s computer system on July 27.
The attack disabled the network services causing city emails, phones, online payments and reservation systems to be affected. Over the weekend, city officials paid $45,000 to retrieve the key to unlock the encrypted data.
According to a statement, city staff detected the infection and ransom notification at 6:50 a.m. July 27 and disabled all network connections to contain the malware spread. According to the city, a preliminary investigation shows the ransomware entered the city’s network through a phishing scam or brute force, and looks like a random attack.
Ransomware is a type of malicious software designed to block access to a computer system or files until a sum of money is paid.
City officials said the ransomware that attacked the city was used to block access to the city’s computer until the city paid a $45,000 ransom to receive a “key” to unlock encrypted data.
“In a cost/benefit scenario of rebuilding the city’s data versus paying the ransom, the ransom option far outweighed attempting to build,” according to the statement. “The inconvenience of a lengthy service outage for residents was also taken into consideration.”
Mayor Jamie Harkins in a video said using taxpayer money to pay a ransom was not the ideal direction to take.
“We attempted to pursue any possible avenue to avoid paying the ransom,” Harkins said. “Staff worked to determine the severity of the attack while analyzing data and backups to find alternative solutions.”
She said the city did not share updates because it would have created a “strategic disadvantage” for the city.
Financial data appears to be recoverable from unaffected backups, according to the statement.
“Personal credit card information was not compromised,” according to the statement. “There is no evidence to suggest personal data was compromised, but out of an abundance of caution, residents and employees are advised to be vigilant to monitor accounts for suspicious activity.”
Officials said they will be sending a security breach notification to individuals who have personal information on the city’s network. Currently, system servers and computers are being cleaned and rebuilt. Once finished, the data will be restored to the system and operations will resume.
“No permanent damage to hardware has been identified,” according to the statement. “Mutual aid from neighboring jurisdictions was brought onsite to assist, and a cyber security analyst was contracted to provide forensic investigation and recovery.”
Additional resources were also deployed from the Boulder Office of Emergency Management and the State Office of Information Technology.
On Monday, City Administrator Fritz Sprague enacted a declaration of local disaster emergency in response to the cyberattack, which allows for outside assistance from the state, neighboring jurisdictions and private contractors with technological expertise to help the city.
The declaration will be in effect for seven days unless extended by City Council. Council is set to consider the extension during Tuesday’s meeting.
The city said it is taking steps to install crypto-safe backups, deploy additional cybersecurity systems and implement regular vulnerability assessments to prevent future data threats. It is unable to estimate a timeline that all systems will be back up and running and has created temporary phone numbers and emails.
To report a problem visit cityoflafayette.com/reportaproblem.
To contact Planning, Building and Inspections, call 303-929-6010 or email firstname.lastname@example.org. To contact Public Works, call 720-641-7386 or email email@example.com.
The Finance Department is unable to answer water bill payment or water bill questions at this time. The temporary phone number is 720-701-2159 and the email is firstname.lastname@example.org. To contact the Recreation Center or Senior Services call 303-472-4806 or email either email@example.com or firstname.lastname@example.org.
To contact Indian Peaks Golf Course, call 303-801-8683 or email email@example.com. To contact the Library call 303-775-9018 for curbside pickup appointments or email firstname.lastname@example.org.
To contact Lafayette Police Records email email@example.com. The Lafayette Municipal Court can be emailed at Lafayettemunicipalcourt@gmail.com.
The general email line is firstname.lastname@example.org. Communications can be reached at 720-539-0608 or Communications.email@example.com.