By Shaun Delliskave | [email protected]

Murray City paid a $121,300 ransom to hackers after the city identified unusual activity in its IT systems (including encrypted network files) for the Aug. 7 cyberattack. The attack hindered the functionality of both the phone system and online services. 

Mayor Brett Hales’ Chief Communications Officer Tammy Kikuchi said, “We continue to investigate this incident with the assistance of subject matter specialists who are working to confirm the full scope of the event. To try and provide details at this point would include mere speculation. Therefore, while the investigation is underway, we are unable to disclose specifics of the attack.”

During the week of the hacking, Murray residents and businesses could not access city systems to pay utility bills or licenses. Also, city hall could not receive or make phone calls. In addition, the city was forced to forgive late fees due to computer system inaccessibility.

The ransom was paid from Murray’s Retained Risk Reserve Fund, which handles uninsured losses. The risk fund provides coverage for up to a maximum of $350,000 for each general liability claim. The city also uses the Retained Risk Fund to purchase commercial insurance for claims more than the coverage provided by the fund.

Recently, cities throughout Utah have been under attack by hackers. In September, Eagle Mountain City was the victim of a $1.13 million cyberhack by an online impersonator posing as a vendor working with the city on an infrastructure project. Clearfield reported that in 2021, hackers encrypted their computer systems and demanded several million dollars.

Kikuchi acknowledged that an investigation is ongoing, but also that the city is fully operational, and any impacted systems have been remediated. However, the city did not elaborate on whether residents’ and customers’ information had been impacted.

“Should the investigation identify an impact to personal information, we will provide the appropriate notices as necessary,” Kikuchi said.

According to cybersecurity firm GovPilot, “In today’s environment of near-constant information security threats, the local government workforce is the first line of defense against intrusion by criminals or hostile nations. The internet has made it easier for adversaries worldwide to attack even the smallest municipality, department or agency. Workers at all levels of government and across departments need to receive cybersecurity awareness training and establish proper behavior, habits, knowledge, and compliance protocols to protect critical information and systems.”

The FBI states that the most frequent way these attacks start is with an email with a malicious attachment or a link. These links could unleash software that spreads throughout the system, allowing the hacker to access and control computer systems.

“From the beginning, the city has been supported by a team of cybersecurity experts. Potential access points were quickly identified, and those access points have since been closed. All network systems were fully restored within seven days of the attack. The city has taken additional measures to create a more robust approach to cybersecurity. This ongoing process will take time to implement and finalize and includes continuing aggressive backup schedules, third-party assistance, and even more robust requirements to access the network and applications,” Kikuchi said. 

Murray City officials, the mayor, and the city council have been cautious in providing information to the public about the cyberattack. Status updates have not appeared on the city’s website nor as a matter of public record in meetings. When asked why information has not been more forthcoming, the city responded, “We appreciate the public’s patience and understanding. The city received several requests for information from local media and responded to those. As the investigation continues, the city will provide further updates as necessary and as relevant information becomes available.”