A Suffolk County ransomware attack has left a lasting impact on the community, with the county approving over $25 million in spending to recover from the devastating effects of the cyberattack.
The attack, which took place on September 8, 2022, exposed the personal information of about 470,000 residents and 26,000 past and current employees of the Long Island, New York community, crippled police dispatch services for weeks, and shut down the county’s main website for months.
Staggering Price of Recovery for Suffolk County
The $25.7 million figure, which includes multiyear contracts through the end of this year, dwarfs the $5.4 million officials frequently cited in the attack’s immediate aftermath. This substantial sum doesn’t even account for thousands of hours of employee overtime or additional non-technology expenses related to the incident, such as legal fees.
County officials have defended the spending, citing the need to secure county documents and information, and to prevent future attacks. However, critics have raised concerns about the lack of transparency and oversight in the spending process. Suffolk County Comptroller John Kennedy, a Republican and longtime political rival of former County Executive Steve Bellone, has called for a review of the spending and accused the Bellone administration of spending $13.8 million on products that either were not needed or never deployed.
Key expenditures in the Bellone administration’s recovery efforts include:
- $8.1 million to California-based security vendor Palo Alto Networks
- $3.18 million for an “umbrella” support agreement through 2025
- $1.67 million for forensic investigation and remediation efforts
The attack’s impact was far-reaching, shutting down the county’s main website for months and affecting payment systems, public records access, and online testing systems.
Controversy and Calls for Investigation
First-year Suffolk County Executive Edward P. Romaine has also called for a review of the spending and has asked for a select committee to investigate how the money was spent.
Romaine stated, “I wish I had that $26 million to spend on hardening the current county network.” The county is now working to improve its cybersecurity posture to qualify for cyber insurance for the first time in its history.
Romaine claimed that assessing the actual cost of the cyberattack may be difficult, stating that his administration’s investigation was hampered by lack of records maintained during the course of the recovery of efforts. Romaine alleged that some of these records had been removed or destroyed before his administration had taken over.
Romaine stated, “When I heard they had spent $27 million between September of 2022 and December of 2023, I said, ‘Well, what did you get for your money? Where is it?’ He added, “It’s hard to find because a lot of the records were erased.”
As Suffolk County continues to grapple with the fallout and costs associated with the ransomware attack as well as the subsequent controversy on spending, the incident serves as a stark reminder of the potentially astronomical costs and long-lasting impacts of cybersecurity breaches on local governments.