By Adam Andrzejewski
CEO & founder, OpenTheBooks.com
Topline:
Top Baltimore officials charged with protecting city cyber infrastructure were pulling in six-figure salaries despite devastating ransomware attacks in 2018 and 2019. Computer systems were down for months, costing millions of dollars and putting lives in danger. Unable to effectively protect their infrastructure, the city paid millions in insurance premiums to reduce liability for another potential attack.
The details:
In March 2018 the City of Baltimore’s 911 dispatch system was hit with a ransomware attack. Dispatchers were forced to switch to an antiquated manual system to respond to emergencies, slowing down response times.
The next year the city suffered another ransomware attack, this time shutting down some systems for as much as three months.
Baltimore’s budget office estimated $10 million was spent on information technology recovery efforts because of the attacks. Another $8.2 million in revenue was lost or delayed as residents were unable to pay property taxes, real estate fees, and fines.
The people in charge:
Frank Johnson was the city’s IT director during both of the attacks, pulling in a $251,922 yearly salary. He left city employment in October 2019, and was replaced by Todd Carter, his deputy.
Carter was named permanent IT director in Feb 2020. His 2021 salary was $231,336.
Johnson was not the only top IT official to leave in the wake of the 2019 attack. Martin Okumu, the director of IT infrastructure at the time of the attack (salary $135,200), Shawn Cherry, the senior manager for the IT help desk and customer service (salary $110,800) and Janice Simmons, a bureau chief in the finance department in charge of revenue collection (salary $136,000) left under ambiguous circumstances in August 2019, The Baltimore Sun reported.
While Mayor Young’s spokesman gave The Sun the names of the employees who “no longer work for the city,” he said, it’s wrong “to suggest that any adverse employment action was taken against any city employee ‘to hold them accountable for the ransomware attack.’"
Millions spent in insurance:
Unable to guarantee the security of the city’s computer infrastructure, in 2019 officials purchased two ransomware insurance plans to reduce liability for the next attack, The Baltimore Sun reported.
Plan one from Chubb Insurance gave the city $10 million in liability coverage, with $500,103 in premiums. The second, from AXA XL Insurance, provides another $10 million of coverage for $335,000 in premiums.
Each plan has a $1 million deductible.
Over the past three years, the city has spent approximately $2.4 million on insurance premiums. Every dollar spent on expensive cyber insurance is a taxpayer dollar not available for city services, including those that could protect cyber infrastructure from another attack.
The Baltimore City Information & Technology spokesperson responded to our request for comment:
“City leadership has provided the attention, focus and resources needed to upgrade our security posture and improve resilience. Our resilience initiatives include updating our disaster recovery plan, updating our incident response plan and running a city-wide table top exercise, updating Agency continuity of operations (CoOp) plans, and regularly testing the ability to restore critical backups.”
Irregularities in ransomware response procurement:
A December 2021 report by Baltimore’s Office of Inspector General found that one of the vendors the city hired to respond to fallout from the ransomware attack incorrectly billed for its services.
The billing process didn’t follow “procurement and fiscal responsibility best practices,” the OIG found; bills the unnamed vendor sent the city only included the number of hours worked and hourly rate, not the work being done.
“The lack of details on the invoices and the absence of project plans supporting the work performed by the vendor is a limitation, therefore the OIG is unable to determine if the invoice payments were justified,” the report stated.
There were also several large invoices from the vendor that were inexplicably canceled, and the IT department had “no clear policy governing if/when supporting documentation should be gathered to justify invoice approval,” the report found.
The vendor billed $1,623,188 to the city for its work–but there are apparently no records for what that work actually was.
How secure is the city?
Baltimore isn’t the only city to fall victim to these attacks, which are becoming increasingly common. Major cities including Tulsa, Atlanta, Denver, New Orleans and Knoxville have been victims of ransomware attacks.
From the Baltimore City Information & Technology office:
“We’ve implemented a security council and an IT steering committee to improve communication and coordination. Every IT project has a security engineer assigned to ensure upgrades and new systems are designed and implemented securely. We also receive actionable intel from the Multi State-Information Sharing Analysis Center (MS-ISAC) and other sources that we use to update our defenses. We’ve upgraded nearly all of our security tools and created a metrics dashboard to monitor their health and effectiveness. In addition, we now have 24x7 security monitoring of our environment.
Read the complete response from the Baltimore City Information & Technology here.
Adam Andrzejewski is the founder and CEO of OpenTheBooks.com. Last year, OpenTheBooks.com filed 47,000 FOIA requests, the most in American history, and successfully captured $12 trillion in federal, state, and local spending.
Do you have a tip regarding waste, fraud, corruption, or taxpayer abuse in Baltimore? Send us an email: [email protected].