The East Windsor Township’s computer system has been compromised by unknown hackers, but it took more than two weeks for township officials to publicly acknowledge the breach and notify township residents.
A message – “Notice of Cyber Incident” – scrolled across the top of the East Windsor municipal website March 18. It stated that officials “became aware of the cyber incident March 7,” which is one week after the township learned of emails sent to recipients “that had the appearance of coming from East Windsor Township officials.”
In fact, The Windsor-Hights Herald received an email from a concerned resident March 3. The email stated that the township’s computers had been hacked the prior week, which would have placed it in late February or early March.
“Last week, the East Windsor municipal offices were hacked, likely by individuals overseas. All of our email addresses were dumped,” according to the March 3 email received by The Windsor-Hights Herald.
“We have been getting township emails containing viruses from unknown sources, and the entire township is in a panic. We don’t know what was released. There have been dozens of reports of this on social media, and we have not been notified at all (by East Windsor Township),” according to the resident’s email.
The Windsor-Hights Herald attempted to contact Mayor Janice Mironov by email March 7 and again on March 14 for comment and an explanation. Mironov did not respond to the emails.
East Windsor officials did not publicly acknowledge the incident until March 15 – despite state law requiring notification to anyone who may have been affected by the security lapse. The law applies to businesses and public entities in New Jersey.
State law requires any business or public entity that compiles or maintains computerized records that include personal information to report a breach of its security to the Division of State Police in the Department of Law and Public Safety. East Windsor Township is a public entity.
Once the State Police has been notified, the law requires “customers” or affected persons “whose personal information was, or is reasonably believed to have been, accessed by an unauthorized person” to be informed of the breach.
Notification to persons affected by the breach is required to be made “in the most expedient time possible and without any unreasonable delay, consistent with the needs of law enforcement,” the state law says.
The Windsor-Hights Herald contacted the New Jersey State Police March 14, and was referred to the East Windsor Police Department. The New Jersey Department of Homeland Security also was contacted by email and stated that it could not confirm whether East Windsor had been victimized.
The East Windsor Police Department acknowledged the security breach in a press release issued March 15 – but only after being contacted the day before (March 14) by The Windsor-Hights Herald, as advised by the New Jersey State Police.
The East Windsor Police Department press release stated that township officials “became aware of suspicious activity related to the municipal building’s computer system” on March 7. The system was taken offline and the township has been working with cybersecurity specialists and governmental partners to restore the operations, the press release said.
The East Windsor Police Department referred all additional inquiries to Township Manager James Brady. He was contacted by The Windsor-Hights Herald March 15.
Brady confirmed in a March 17 email to The Windsor-Hights Herald that township officials had notified the New Jersey State Police, the New Jersey Department of Homeland Security and the Federal Bureau of Investigation of the computer hack.
“If the investigation determines that data has been affected, the township will make the appropriate notifications, as soon as possible, and in compliance with state and federal law,” Brady wrote in the March 17 email.
“The exact manner of notification, if necessary, will be determined based upon the results of the investigation,” Brady wrote.
A “Notice of Cyber Incident” began scrolling across the top of the township website the next day on March 18. It stated that “the week prior to March 7, the township became aware of dissemination of emails that had the appearance of coming from East Windsor Township officials.”
“These emails are not official emails. Residents are advised to review and scrutinize all emails that appear to come from an East Windsor Township email address, and not to click on or open any attachments or links contained in the email.”
Tips that emails are fake include the use of foreign telephone numbers in the email, such as 044-689-7850, fax 090-173-2994 and mobile 090-7569-0018. The fake emails also refer to financial paperwork or documents being attached, according to the alert.
Residents who have not had recent business with the township should be cautious, especially if the emails appear to be from old business matters, the alert said.
The alert encourages residents who have questions about an email to contact the East Windsor Township Manager’s Office at 609-443-4000, ext. 246, or via email at firstname.lastname@example.org.
“Cybersecurity specialists are investigating all aspects of these matters to assess what occurred and identify any potential impacts, including the source of the false emails sent to residents,” the alert said.