|
Getting your Trinity Audio player ready...
|
A computer hack gained access to a New Bedford city employee’s official email account on Tuesday, causing the account to send a phishing message to the employee’s entire contacts list.
The city’s IT team quickly stopped the breach, Public Information Officer Jonathan Darling said on Wednesday. He said it didn’t affect the city’s “servers, data, or hardware” because it targeted the city’s email platform, which is controlled by Microsoft.
“It’s really a non-issue for us,” he said in a phone interview.
Darling said John Costa, the city’s IT director, was not available to discuss the situation and declined to say why.
The hack happened when Parks and Recreation Director Mary Rapoza opened a fake email that was made to look like it was sent from a local nonprofit agency, Darling said. This “resulted in” Rapoza’s official email address sending spam messages to people in her contacts list.
It’s not clear what information hackers may have gained access to within Rapoza’s email account, or if any of it was sensitive. Darling didn’t immediately respond to The Light’s questions about whether the hack exposed Rapoza’s ingoing or outgoing mail, and whether other employees’ emails were compromised.
A Light reporter received a spam email on Tuesday afternoon from Rapoza’s email address. It asked the reader to click a link to view a “proposal” without providing any other details.
“Do not open, it is spam,” Darling told The Light in an email later that evening, after the reporter shared Rapoza’s message. He added: “We are working on it.”
Later that evening, three hours after the spam email was sent from Rapoza’s address, The Light received a follow-up message from the city’s IT director, which warned recipients against clicking any links or attachments in Rapoza’s message. Costa wrote that his department was “working to mitigate this issue.”
City IT officials “terminated the unauthorized access and prevented any further spam emails by disabling the affected account, resetting the password, revoking all active sessions, and blocking further sign-in attempts,” Darling wrote in a statement on Wednesday. “The City regrets any inconvenience to external parties who received a spam email.”
The unauthorized emails are an example of phishing attacks, where hackers send emails that look like they come from legitimate sources, deceiving recipients into handing over sensitive information like passwords.
New Bedford’s emergency alerts platform, OnSolve CodeRED, was targeted by a cyberattack “by an organized cybercriminal group,” the city announced in December. The group downloaded user data “including names, addresses, email addresses, phone numbers and/or associated passwords used to create user profiles for alerts.” The city recommended that users change their passwords on any accounts using the same password as CodeRed.
The city was targeted by a major ransomware attack in 2019, when hackers locked the city out of its computer systems and demanded $5 million. Mayor Jon Mitchell made national news by defying the recommendations of cybersecurity experts, offering $400,000 to the hackers from the city’s insurance policy. Hackers did not accept the offer. Ultimately, the city used its own backups to restore its computer systems.
Hacks targeting local governments are not uncommon. Earlier this year, the city of Peabody reported a data breach that affected 48,000 people. The hacker had access to city systems for nearly a month before officials found out, the city announced. Social security numbers, financial accounts, and drivers license information was exposed. The city said it was offering free credit monitoring and identity theft services to people affected.
Email Grace Ferguson at gferguson@newbedfordlight.org. New Bedford Light reporter Eleonora Bianchi contributed reporting.
