PORTLAND, Ore. — By the time Portland city leaders realized what had happened, it was too late. In April, cybercriminals made off with $1.4 million — the single largest heist of public funds in city history.
Emails suggest that a city treasurer had flagged the million-dollar wire transfer as potentially fraudulent, but the housing bureau paid it anyway after being fooled by cybercriminals who had access to the city’s internal systems for an entire month.
The Portland breach is just the latest cyberattack to hit local government in Oregon. Cities, counties and school districts across the state have all been targeted in the past several years.
“It’s every day, all the time. It is nonstop,” warned cybersecurity expert Patrick Miller of Ampere Industrial Security.
Local government networks are attractive targets for cybercriminals because of the vast amount of sensitive data they hold, Miller explained. And unlike private businesses, many local governments are less prepared for attack because of limited budgets or outdated technology used to protect against cyber attack.
“It’s a struggle for them,” Miller said. “They’re not in a good position to counter things like nation-state level cyberattacks. I won’t say it is impossible for them, but it is very difficult.”
In 2020, Tillamook County suffered a crippling ransomware attack. Cybercriminals hijacked control of government computer systems, encrypted the data, then held it hostage for two weeks until elected leaders agreed to pay a $300,000 ransom.
One way that local governments offset some of the risk and limit their exposure is through cyber insurance.
KGW asked 20 of the largest cities in Oregon for a copy of their cyber insurance policies. Eighteen cities had coverage. Two did not — McMinnville and Redmond.
KGW’s review found that in many cases cyber insurance costs have skyrocketed due to the surging attacks. In Portland, annual premiums jumped from $220,000 last year to $325,388 this year — a 49% increase.
Bend’s cyber insurance premiums jumped from $28,134 for its previous policy to $72,100 for the city’s current policy — a spike of 156%.
“It has become rougher and rougher to get cyber insurance. It’s become a national crisis,” said Alan Shark, executive director of a Washington DC-based non-profit CompTIA Public Technology Institute.
It’s expensive to clean up the mess or a restore a system after a cyber-attack, Shark said. Insurance companies are having to pay out more, which has led them to raise premiums and tighten standards for getting a policy.
“Do you want to say, ‘I’m healthy today and I don’t need medical insurance?” asked Shark. “The answer is — cyber insurance is an important part, if you can get it, for all local governments.”
Cyber insurance is only part of the strategy. Local governments also need to invest in technology, software updates, and backup data, Shark said — along with strict policies and training for employees to protect against cyberattacks.