More than two months after East Windsor Township’s computer system was compromised by unknown hackers, township officials have not divulged who was behind the hack nor any of the steps being taken to prevent future incidents.
East Windsor residents are still in the dark about how the hack occurred, the number of residents or businesses affected, and the nature of the information that was stolen and that may affect them personally.
Neither Mayor Janice Mironov or Township Manager James Brady responded to an April 27 email from The Windsor-Hights Herald asking for updated information about the incident in time for the newspaper’s May 3 weekly deadline.
The newspaper’s email asked whether the identity of the hacker or source of the hack had been determined, and what steps are being taken – if any – to prevent another computer hack.
Officials also were asked whether East Windsor Township has a dedicated IT department or whether it has someone dedicated to monitoring and handling the township’s computer system. Some towns have outsourced the work.
Mironov and Brady also were asked whether residents were notified of the computer breach, in addition to a message – “Notice of Cyber Incident” – that has been scrolling across the top of the East Windsor Township municipal website.
The Windsor-Hights Herald received an email from a concerned resident March 3, which stated that the township’s computer system had been hacked the prior week, in late February or early March.
The resident’s email to the newspaper stated that residents had been receiving emails purportedly from East Windsor Township and that contained viruses. The email addresses of residents who had contact with the township in the past had been obtained by the hackers.
The Windsor-Hights Herald contacted Mironov by email March 7 and March 14 for comment and explanation, but she did not respond.
East Windsor officials did not publicly acknowledge the incident until March 15, despite state law requiring notification to anyone who may have been affected by the security lapse. The law applies to businesses and public entities in New Jersey.
State law requires any business or public entity that compiles or maintains computerized records that include personal information to report a breach of its security to the New Jersey State Police. East Windsor Township is a public entity.
Once the New Jersey State Police has been notified, the law requires “customers” or affected persons “whose personal information was, or is reasonably believed to have been, accessed by an unauthorized person” to be informed of the breach.
Notification to persons affected by the breach is required to be made “in the most expedient time possible and without any unreasonable delay, consistent with the needs of law enforcement,” according to state law.
The Windsor-Hights Herald contacted the New Jersey State Police March 14, and was referred to the East Windsor Police Department. The New Jersey Department of Homeland Security also was contacted by email and stated that it could not confirm whether East Windsor had been victimized.
The East Windsor Police Department acknowledged the security breach in a press release issued March 15 – but only after being contacted the day before (March 14) by the The Windsor-Hights Herald, as advised by the New Jersey State Police.
The East Windsor Police Department press release stated that township officials “became aware of suspicious activity related to the municipal building’s computer system” on March 7. The system was taken offline and the township has been working with cybersecurity specialists and governmental partners to restore the operations, according to the press release.
The East Windsor Police Department referred all additional inquiries to Brady, the township manager. He was contacted by The Windsor-Hights Herald March 15.
Brady confirmed in a March 17 email to The Windsor-Hights Herald that township officials had notified the New Jersey State Police, the New Jersey Department of Homeland Security and the Federal Bureau of Investigation of the computer hack.
“If the investigation determines that data has been affected, the township will make the appropriate notifications, as soon as possible, and in compliance with state and federal law,” Brady wrote in the March 17 email.
A “Notice of Cyber Incident” began scrolling across the top of the township website the next day on March 18, and has continued to scroll. The notice stated that “the week prior to March 7, the township became aware if dissemination of emails that had the appearance of coming from East Windsor Township officials.”
The scrolling message states that these are not official emails. It advises residents to review and scrutinize all emails that appear to come from an East Windsor Township email address and not to click on or open any attachments or links in the email.
The alert encourages residents who have questions about an email to contact the East Windsor Township Manager’s Office at 609-443-4000, ext. 246, or via email at firstname.lastname@example.org.