East Windsor Township officials apparently misled residents about the date of the cyber attack on the township’s computer system, based on information obtained through an Open Public Records Act request.
Township officials claimed they learned of the computer breach March 7 and reported it to the public March 14, but numerous records indicate that they were aware of it as early as March 2.
The OPRA request was filed by East Windsor resident Raphael M. Copeland on May 9. East Windsor officials responded to the request on May 18, which is within the required seven business days to respond to an OPRA request.
Copeland had requested more than a dozen items that included a request for the date when East Windsor officials became aware of the computer breach, how they became aware of it and the date that it was reported to the New Jersey State Police and the New Jersey Department of Homeland Security, as required by state law.
The OPRA request also sought the name and address of the company that is investigating the incident, and the amount of money being paid to investigate and protect data.
Correspondence between township officials and local businesses, private citizens and the media regarding the incident also were requested.
Township officials claimed they became aware of the computer breach March 7 when employees attempted to log onto their work computers, based on information released under the OPRA request.
But Township Manager Jim Brady received an email March 2 from a senior cyber threat intelligence analyst at the New Jersey Cybersecurity and Communications Integration Cell, which stated that the agency’s “email security tool picked up a few emails that are using display name spoofing (impersonating) East-Windsor.NJ.US email users.”
“In some cases, however, it appears that East-Windsor.NJ.US email accounts may also be compromised or previously compromised. Our email security tool identified some attachments sent as the Emotet malware,” the analyst wrote.
“We advise notifying contacts of these attempts so that they do not open malicious emails/attachments/links,” the NJCCIC analyst wrote in the March 2 email. The NJCCIC is the security team for executive branch state agencies.
Brady acknowledged the NJCCIC analyst’s email March 3, and wrote that “we were aware and our email hosting/provider has fixed the problem.”
Township residents also began emailing township officials March 2 to report suspicious emails allegedly from East Windsor Township.
A Canterbury Court resident emailed Mayor Janice Mironov, Municipal Clerk Allison Quigley and Construction Official James Gorski March 2 to report receiving email messages – allegedly from a person who was impersonating an East Windsor official.
“East Windsor Township should send emails and post on the township’s web page to inform residents of this apparent hack of East Windsor residents’ email addresses and this person impersonating an East Windsor official,” the resident wrote in the March 2 email.
Township officials waited until March 7 to make a telephone call to notify the New Jersey State Police, the state Department of Homeland Security, the director of the New Jersey Cybersecurity Communications Integration Cell and the FBI.
Residents continued to receive suspicious emails purportedly from East Windsor Township.
In a March 10 email to Mironov, a Queensboro Terrace resident wrote that her Gmail account had been hacked after she was in communication with an East Windsor Township employee via email.
“This is extremely concerning. We are quite disturbed that we haven’t received any alerts regarding this hacking from the township,” the resident wrote in the March 10 email.
Mironov did not answer the emails personally. She passed them along to Brady, Quigley and Police Chief James Geary to respond.
In response to additional OPRA requests filed by Copeland, it was reported that three companies are investigating the incident. They have been identified as Mullen Coughlin of Devon, Pennsylvania; Kroll Associates of New York City; and Experian – Identity Works of Austin, Texas.
In another request to find out how much money is being paid to conduct the investigation, it was reported that the costs are being paid through the Middlesex County Joint Insurance Fund, minus the $25,000 policy deductible.
Copeland requested a digital copy of the township’s cyber response plan, but it was denied because it is considered to be a confidential record under the definition of a government record and “would jeopardize computer security.”
Copeland filed the OPRA request May 9 because more than two months after East Windsor Township’s computer system was compromised by unknown hackers, township officials had not divulged who was behind the hack or of any steps being taken to prevent future hacks – leaving residents in the dark about it.
Neither Mironov nor Brady had responded to similar questions posed by The Windsor-Hights Herald, beginning with an email to Mironov on March 7. The newspaper received an email from a concerned citizen about the hack March 3, which triggered the series of emails rom The Windsor-Hights Herald to Mironov and Brady, as late as April 27.
When township officials did not respond to the initial set of emails, The Windsor-Hights Herald contacted the New Jersey State Police March 14 and was referred to the East Windsor Township Police Department.
The state Department of Homeland Security was contacted by the newspaper via email on the same date. A spokesman declined to comment on whether East Windsor had been victimized.
Meanwhile, the East Windsor Township Police Department’s March 14 press release stated that township officials “became aware of suspicious activity related to the municipal building’s computer system” March 7.
The system was taken offline and the township has been working with cybersecurity specialists and governmental partners to restore the operations, according to the press release.
The East Windsor Township Police Department referred all additional inquiries to Brady, the township manager. He was contacted by The Windsor-Hights Herald March 15.
Brady confirmed in a March 17 email to The Windsor-Hights Herald that township officials notified the New Jersey State Police, the state Department of Homeland Security and the FBI of the computer hack.
“If the investigation determines that data has been affected, the township will make the appropriate notifications, as soon as possible, and in compliance with state and federal law,” Brady wrote in the March 17 email.
A “Notice of Cyber Incident” began scrolling across the top of the township website the next day on March 18, and has continued to scroll. It states that the week prior to March 7, the township became aware of dissemination of emails that had the appearance of coming from East Windsor Township.”
The scrolling message states that these are not official emails, and advises residents to review and scrutinize all emails that appear to come from an East Windsor Township municipal email address and not to open or click on any attachments or links in the email.