Among the thousands of lawsuits New York City faces each year, this case was unexceptional — a man suing the city and several police officers over his arrest during a 2016 demonstration. But last week, the case hit a snag for an unusual reason: The city’s Law Department had been hacked, and lawyers were struggling to gain access to important documents.
“Practically all attorneys from the New York City Law Department still do not have remote access to electronic files,” wrote Jorge M. Marquez, a city attorney, to the judge on July 1, asking for an extension of deadlines in the false-arrest case.
Mr. Marquez noted that attorneys could enter the Law Department’s offices to review files but because of the pandemic, many attorneys, including himself, were not going into work. “It is currently unknown when this problem will be resolved,” he wrote, adding that the city hoped it would be in the coming weeks.
More than a month after hackers gained access to the Law Department’s computer system — which stores an untold amount of sensitive information — it is now apparent that the breach had a more profound effect than officials have publicly revealed. The department’s chief IT officer has been reassigned and replaced. And the fallout, as chronicled in internal communications obtained by The New York Times, may for months continue to affect the 1,000-lawyer agency that defends the city in court.
Many city Law Department employees have returned to the office on a limited basis, but the inability to retrieve documents remotely has slowed some of their work.
Laura Feyer, a spokeswoman for Mayor Bill de Blasio, said in a statement that the Law Department’s attorneys are “arranging on-site and remote work accordingly to ensure there is minimal impact to cases.”
Nick Paolucci, a Law Department spokesman, said that a majority of the department’s attorneys have been able to meet court deadlines and that the legal work of the city was moving forward.
But court records show the hack continues to complicate cases. In letter after letter to judges, the city’s attorneys have sought postponements in cases, saying that without access to electronic files, they could not prepare a deposition, answer a complaint or submit a brief.
In one lawsuit against the Department of Education filed on behalf of a teenager with autism, the lawyer for the plaintiff wrote to a judge that settlement talks had stalled for a time because the city’s lawyer lacked access to email and case files. It was unclear how many cases have been delayed because of the hack.
Some Law Department attorneys even went into the office and transferred files, some containing sensitive materials, onto personal flash drives in order to be able to work on them on home computers, according to one employee.
The Times has reported that the Law Department hack occurred after an intruder used an employee’s stolen email password to gain unauthorized access to the agency’s computers. The Times found that the intrusion was enabled by the department’s failure to comply with an April 2019 directive by the city’s Cyber Command that all agencies implement a common security tool called multifactor authentication.
The tool requires users logging into sensitive accounts to take at least one further step to verify their identities, such as entering a temporary numerical code sent to a user’s cellphone.
“While the attack was stopped quickly thanks to actions by Cyber Command, the lack of compliance with city IT standards leading up to the attack was unacceptable,” Ms. Feyer, the City Hall spokeswoman, said in a statement.
Ms. Feyer said the Law Department had been working “around the clock” under the guidance of the Cyber Command and the city’s information technology department “to enhance its systems and restore more functionality” in response to the breach.
Mr. de Blasio has said that the breach was being investigated by the F.B.I.’s cyber task force and the New York Police Department’s intelligence bureau and that the city was unaware of any ransom demand being made or information being compromised.
The mayor also admonished city department heads in a conference call in mid-June to shore up their cyberdefenses or face consequences should their agencies be hacked, The Times has reported.
In the fallout over the hack, the Law Department reassigned its chief IT officer, Edwin Francisque, and replaced him with a veteran IT supervisor from the Department of Education, according to an email from Georgia M. Pestana, the Law Department’s acting head, to her staff last week.
Mr. Francisque declined to comment through a Law Department spokesman.
The Law Department hack was first detected by the Cyber Command on June 5, and the next day the agency’s computers were removed from the city’s larger network, throwing much of the department’s legal work into disarray.
In a court hearing on June 30, Stephen Kitzinger, an attorney representing the city in a lawsuit filed by the family of Eric Garner, told a judge that his office email was not restored until June 14 — more than a week after the hack was discovered — and that he still did not have access to his records.
Ms. Pestana, in an email on June 14 telling her staff that access to email had been restored, offered rules for “securely transferring documents” from the office to “your home environment.”
A city official said that in the wake of the hack, Law Department employees now have been given multifactor authentication.
Cybersecurity experts and other officials say that the vast majority of ransomware attacks against American towns, cities and hospitals were made possible because of the failure of the targets to use multifactor authentication. The experts have said that hackers exploited the lack of the tool when they forced the shutdown of the Colonial Pipeline in May and attempted to poison the water supply in a small Florida town early last year.
Officials have not said why the Law Department did not implement the safeguard after the Cyber Command directive more than two years ago.
This spring, the agency appeared to be finally preparing to do so, emails show. On May 25, Mr. Francisque, then the chief IT officer, wrote to the staff that the plan to implement multifactor authentication would bring the agency into compliance with the directive.
“We have all heard of high-profile security breaches, which are becoming increasingly more frequent,” he wrote, “particularly those breaches that exploit systems through end user login credentials.”
Less than two weeks later, the hack occurred.
The post Fallout From Hack of City Law Department Could Linger for Months appeared first on New York Times.