Some Suffolk services still offline since cyberattack
A handful of online services, including property title searches and sewer bill payments, remain offline months after a cyberattack on Suffolk County.
The Sept. 8 attack, which forced the county to take its website and other web-based applications down until February, also is the reason Suffolk's capital budget will be filed two weeks late.
Hackers gained access to the computer system by exploiting a vulnerability in the county clerk’s domain in December 2021, according to a forensic report of the attack. The hackers demanded a $2.5 million ransom, but the county didn't pay it, County Executive Steve Bellone said.
Some online services have not been restored since the breach was discovered. Those that remain offline, according to Suffolk spokeswoman Marykate Guilfoyle, include:
Remote access to title searches , Paying sewer bills online , The health department’s food manager course mobile application, as well as an app displaying restaurant inspection results , Applications for pistol permits , Submissions of Freedom of Information Law requests to the Suffolk County Police Department, They are being taken via email, , Police public notification programs such as Crimestoppers alerts, news releases, false-alarm management registration and the SCPD Shield information sharing program .
Guilfoyle said some of the services have apps that require residents to submit personal information such as their name or address, and those will be kept offline until they can be upgraded to meet Suffolk’s safety standards.
Several other services, including ones that allow mortgages to be recorded online and county employees to check their deferred compensation, were expected to be back online by Friday, Guilfoyle said. Many have been executed manually at the clerk's office, or via email or telephone calls since the attack.
Property title searches, a critical function of Long Island’s real estate industry, were down for nearly a month after the attack, but can now be performed in person. That means title searchers — who often own their small businesses and typically work as subcontractors for title and abstract companies — have had to report to the county clerk’s office in Riverhead to do their jobs.
Guilfoyle said the county hopes to restore remote searches by the end of the year.
On a recent Tuesday, dozens of title searchers were stationed in cubicles in the clerk’s office, where they accessed the county’s offline system. They had been doing their jobs remotely during the COVID-19 pandemic and prior to the cyberattack.
Returning to in-person searches is a major inconvenience for Beverly Odell, 60, who had been working from Frederick, Maryland, after she sold her Riverhead home in 2021. A title searcher since 1979, she has only worked for three weeks since the cyberattack. She quit her job at a title agency but plans to return to work when remote title searches resume.
“I moved with the security that I would still be working,” she said. “At my age, I’m not going to start a new career.”
Jenn Baldock, 44, of Shirley, who owns a small title search company, said she lost about a quarter of her income last year because of the attack. She noted that working remotely gives title searchers 24/7 access to the system, which allows them to take on additional clients. Title searches can now only be conducted during business hours.
“I’ve had to turn away work because I don’t have time,” said Baldock, whose TikTok post about the cyberhack has received more than 100,000 views. “The more work you have, the more money you make.”
Michael Nizich, director of the Entrepreneurship and Technology and Innovation Center at New York Institute of Technology, noted remote applications are more vulnerable to attack by an outside entity because they do not reside inside the county's “trusted” computer base.
Nizich, who spoke generally and does not have direct knowledge of Suffolk's restoration, said those systems must maintain the highest level of security because they allow outside access to county data. He said these services typically are in what is known as a demilitarized zone, or a digital space where users can view and access county data while not being allowed to harm the network.
“Due to the complexity of these configurations, it's imperative that care be taken to properly install, configure and, most of all, test the DMZ [demilitarized zone] and all services that lie inside of it to assure that they are secure from all human and non-human threat agents,” Nizich said.
It's not clear how much it could eventually cost Suffolk to restore the services, or how the county will pay for it. County officials said they'll work with the clerk's office to find funding.
The county's most recent estimate to respond to the attack and restore services was $5.7 million as of Thursday. Cybersecurity experts have said it could rise.
Guilfoyle said around $100,000 has been spent on upgrades to the title search system. To fully restore remote access to title searches, she said it could cost an additional $1 million.
Suffolk Comptroller John M. Kennedy Jr. said the county’s vendor self-service portal, which is administered by the international firm CGI Advantage, is still down. The application allows county vendors to submit and track the status of invoices. He estimated that only about 25 of the county’s 500 vendors are using the service, but that it was growing in popularity.
“Naturally, like everything, bang — down it came,” he said. “I am eager to get that back up, and operational and functional.”
An emergency order issued by Bellone on April 14 extends the April 15 deadline for the capital budget, the county’s multiyear spending plan for large projects, until May 1.
“Under emergency authority, the capital budget has been delayed as we work to hire a [chief information security officer] and evaluate any further cybersecurity investments to harden the county’s infrastructure,” Guilfoyle said in a statement. She said the chief information security officer will be expected to review the capital projects.
Bellone has issued similar orders every month since the attack. Some of the orders have temporarily moved IT employees in the clerk's office to the countywide IT department.
The capital budget delay shortens the amount of time the county legislature and its Budget Review Office have to review the budget before a deadline of June 30 to adopt it.
Legis. Kevin McCaffrey (R-Lindenhurst), presiding officer of the legislature, did not return calls seeking comment.
A handful of online services, including property title searches and sewer bill payments, remain offline months after a cyberattack on Suffolk County.
The Sept. 8 attack, which forced the county to take its website and other web-based applications down until February, also is the reason Suffolk's capital budget will be filed two weeks late.
Hackers gained access to the computer system by exploiting a vulnerability in the county clerk’s domain in December 2021, according to a forensic report of the attack. The hackers demanded a $2.5 million ransom, but the county didn't pay it, County Executive Steve Bellone said.
Some online services have not been restored since the breach was discovered. Those that remain offline, according to Suffolk spokeswoman Marykate Guilfoyle, include:
WHAT TO KNOW
- A handful of online services, including the ability to pay sewer bills and conduct title searches, remain offline in Suffolk County until they can be updated to meet the county's new security standards.
- Several other online services were expected to be restored by Friday.
- The county's most recent cost estimate to respond to the attack and restore services is $5.7 million. Cybersecurity experts have said it could rise much higher.
- Remote access to title searches
- Paying sewer bills online
- The health department’s food manager course mobile application, as well as an app displaying restaurant inspection results
- Applications for pistol permits
- Submissions of Freedom of Information Law requests to the Suffolk County Police Department. They are being taken via email.
- Police public notification programs such as Crimestoppers alerts, news releases, false-alarm management registration and the SCPD Shield information sharing program
Guilfoyle said some of the services have apps that require residents to submit personal information such as their name or address, and those will be kept offline until they can be upgraded to meet Suffolk’s safety standards.
Several other services, including ones that allow mortgages to be recorded online and county employees to check their deferred compensation, were expected to be back online by Friday, Guilfoyle said. Many have been executed manually at the clerk's office, or via email or telephone calls since the attack.
Property title searches affected
Property title searches, a critical function of Long Island’s real estate industry, were down for nearly a month after the attack, but can now be performed in person. That means title searchers — who often own their small businesses and typically work as subcontractors for title and abstract companies — have had to report to the county clerk’s office in Riverhead to do their jobs.
Guilfoyle said the county hopes to restore remote searches by the end of the year.
On a recent Tuesday, dozens of title searchers were stationed in cubicles in the clerk’s office, where they accessed the county’s offline system. They had been doing their jobs remotely during the COVID-19 pandemic and prior to the cyberattack.
Returning to in-person searches is a major inconvenience for Beverly Odell, 60, who had been working from Frederick, Maryland, after she sold her Riverhead home in 2021. A title searcher since 1979, she has only worked for three weeks since the cyberattack. She quit her job at a title agency but plans to return to work when remote title searches resume.
“I moved with the security that I would still be working,” she said. “At my age, I’m not going to start a new career.”
Jenn Baldock, 44, of Shirley, who owns a small title search company, said she lost about a quarter of her income last year because of the attack. She noted that working remotely gives title searchers 24/7 access to the system, which allows them to take on additional clients. Title searches can now only be conducted during business hours.
“I’ve had to turn away work because I don’t have time,” said Baldock, whose TikTok post about the cyberhack has received more than 100,000 views. “The more work you have, the more money you make.”
Michael Nizich, director of the Entrepreneurship and Technology and Innovation Center at New York Institute of Technology, noted remote applications are more vulnerable to attack by an outside entity because they do not reside inside the county's “trusted” computer base.
Nizich, who spoke generally and does not have direct knowledge of Suffolk's restoration, said those systems must maintain the highest level of security because they allow outside access to county data. He said these services typically are in what is known as a demilitarized zone, or a digital space where users can view and access county data while not being allowed to harm the network.
“Due to the complexity of these configurations, it's imperative that care be taken to properly install, configure and, most of all, test the DMZ [demilitarized zone] and all services that lie inside of it to assure that they are secure from all human and non-human threat agents,” Nizich said.
Cost to restore services
It's not clear how much it could eventually cost Suffolk to restore the services, or how the county will pay for it. County officials said they'll work with the clerk's office to find funding.
The county's most recent estimate to respond to the attack and restore services was $5.7 million as of Thursday. Cybersecurity experts have said it could rise.
Guilfoyle said around $100,000 has been spent on upgrades to the title search system. To fully restore remote access to title searches, she said it could cost an additional $1 million.
Suffolk Comptroller John M. Kennedy Jr. said the county’s vendor self-service portal, which is administered by the international firm CGI Advantage, is still down. The application allows county vendors to submit and track the status of invoices. He estimated that only about 25 of the county’s 500 vendors are using the service, but that it was growing in popularity.
“Naturally, like everything, bang — down it came,” he said. “I am eager to get that back up, and operational and functional.”
An emergency order issued by Bellone on April 14 extends the April 15 deadline for the capital budget, the county’s multiyear spending plan for large projects, until May 1.
“Under emergency authority, the capital budget has been delayed as we work to hire a [chief information security officer] and evaluate any further cybersecurity investments to harden the county’s infrastructure,” Guilfoyle said in a statement. She said the chief information security officer will be expected to review the capital projects.
Bellone has issued similar orders every month since the attack. Some of the orders have temporarily moved IT employees in the clerk's office to the countywide IT department.
The capital budget delay shortens the amount of time the county legislature and its Budget Review Office have to review the budget before a deadline of June 30 to adopt it.
Legis. Kevin McCaffrey (R-Lindenhurst), presiding officer of the legislature, did not return calls seeking comment.
WHAT'S BACK
Suffolk web-based apps that were expected to be restored by Friday:
- Civil Service candidate exam room assignment searches. Individuals have been receiving room assignments upon confirmation of the test or by calling the department.
- Deferred compensation reports that allow county employees/retirees to check contribution amounts for deferred compensation.
- Clerk online recording intake for mortgages and land instruments.
- Clerk service that handles questions from towns on deeds. The reports have been sent to the towns manually.
- Clerk online records searches, which have been occurring at the clerk’s office since the attack.
WHAT'S NOT
- Remote access to title searches and other real estate-related functions in the clerk’s office.
- Paying sewer bills online.
- The health department’s food manager course mobile application, as well as an app displaying restaurant inspection results.
- Applications for pistol permits.
- Submissions of Freedom of Information Law requests to the Suffolk County Police Department. They are being taken via email.
- Other police public notification programs.