Officials are notifying about 1,700 current and former Detroit employees.
Officials are notifying about 1,700 current and former Detroit employees.

Officials are notifying about 1,700 current and former Detroit fire and emergency medical services (EMS) employees that their personal information may have been compromised by malware that locked City files.

City officials did not respond to several SCMagazine.com requests for comment throughout Monday, but according to various reports, a staffer inadvertently clicked on a malicious link in an email around Feb. 8, which resulted in several files being locked up.

“We realized that two of the files contained personal information,” Beth Niblock, Detroit's chief information officer, said at a news conference. “And the scope of our preliminary investigation showed that about 1,700 current and former fire and EMS employees were affected by this lock. There is absolutely no information to indicate that any personal information has been disclosed.”

That personal information includes names, dates of birth and Social Security numbers, according to reports, which explain that officials were able to find out what was in the files by viewing backups. Impacted individuals are being notified by mail and offered credit monitoring and identity theft protection services. Additionally, employees are being given more computer training.

Attackers generally use file-locking malware – typically known as ransomware – to extort victims for finances, and not to breach organizations for personal data; however, Detroit attorney Melvin Hollowell was quoted in one report as saying there was no such payment demand with this particular malware.

“As the ransomware is always delivered via an intermediary piece of malware, I'd recommend that such incidents be treated like a breach,” Bogdan Botezatu, senior e-threat analyst with Bitdefender, told SCMagazine.com on Monday.

But that is not all.

Botezatu added, “It would be safe to assume that attackers have full control of the compromised computer and could exfiltrate data, access network shares and so on. In this case, the respective machine should be isolated immediately from the network and taken directly to forensics in order to identify the scope and duration of the incident, as well as assessing what data could be accessed from that machine over the network.”