Data stolen in Jefferson County, Kentucky, cyberattack includes election info, employee reviews
Officials in the Jefferson County Clerk’s office in Kentucky this week confirmed that sensitive data such as personnel files, Social Security numbers and election administration information may have been compromised in a cyberattack last month.
On Monday, RansomHub, a ransomware group responsible for the July cyberattack on the Florida Health Department, listed Jefferson County as a victim on its ransomware data leak site and claimed responsibility for the cyberattack. The group claims it exfiltrated 47 gigabytes of data from the county, a trove that might include ballot data and voter records going back as far as 2008.
On a leak site, RansomHub’s countdown clock points to Saturday as the deadline for payment. A ransom amount isn’t listed, and the county clerk’s office declined to confirm whether it had received a ransom demand.
“We are reviewing the leaked files to determine who we need to contact,” Ashley Tinius, a spokesperson for the office, told StateScoop in an emailed statement. “We will send a letter to anyone we identify, similar to other agencies that have been victims of these malicious actors. Federal law for private companies gives a full 60 days to notify, which is not very timely. Our internal policy allows 35 days to identify and contact individuals about the security breach.”
Officials said they discovered the attack on July 22, days after the county had reopened its offices following a two-week closure to address a “significant backlog” of work caused by glitches in its KAVIS software, a system primarily used by county clerk employees to manage vehicle and boat transactions.
Surrounding Louisville, Jefferson County has a population of 773,000 residents. The county clerk’s office there is responsible for managing documents ranging from land deeds to marriage licenses.
The ransomware group published on the dark web a list of the files it claims to have stolen. The list appears to contain financial documents, alarm system details, invoices, human resources documents like employee reviews and resignation letters, budget documents and customer contracts.
The extensive list includes Microsoft Word and Excel files with names like “Election Officers for Special Election.xlsx”, “Finance Accounts Payable.doc” and “Alarm Codes.xlsx”.
A researcher from the Cyble Research and Intelligence Lab, who asked not to be named, told StateScoop that what he finds most alarming about the breach is the apparent compromise of election administration data dating back to 2008.
“The data [could] potentially be used for phishing as well as disseminate disinformation, misinformation to cause confusion and panic amongst the voters,” the researcher wrote in an email.
The file list contains 16 mentions of the word “voter” and 142 mentions of the word “election.” Some file names indicate the type of election equipment the county uses for in-person voting. Based on information published by the election-technology tracker Verified Voting, the files could refer to equipment from the Nebraska manufacturer Election Systems & Software, including hand-fed optical scanners, ballot marking devices or commercial electronic poll books.
Analysts at the cybersecurity firm Halcyon have speculated that RansomHub is a rebrand of the Black Cat/ALPHV gang, which went dark after in February it orchestrated a disruptive cyberattack on Change Healthcare, a subsidiary of UnitedHealth Group, the largest private health insurer in the United States. RandomHub collected $22 million in ransom payments after stealing nearly 4 terabytes of sensitive data.
AJ Vicens contributed reporting.
