New York City’s Law Department holds some of the city’s most closely guarded secrets: evidence of police misconduct, the identities of young children charged with serious crimes, medical records and personal data for thousands of city employees.
But all it took for a hacker to infiltrate the 1,000-lawyer agency’s network early this month was one worker’s pilfered email password, according to a city official briefed on the matter.
Officials have not said how the intruder obtained the worker’s credentials, nor have they determined the scope of the attack. But the hack was enabled by the Law Department’s failure to implement a basic safeguard, known as multifactor authentication, more than two years after the city began requiring it, according to four people with knowledge of the legal agency’s system and the incident.
The intrusion interrupted city lawyers, disrupted court proceedings and thrust some of the department’s legal affairs into disarray. And on Tuesday morning, in a conference call, Mayor Bill de Blasio admonished the heads of city agencies to shore up their cyberdefenses or face consequences in the event their agencies were hacked, according to three people who were on the call.
The mayor’s warning to the agency heads comes 10 days after the city’s Cyber Command, created by de Blasio in 2017 to defend the city’s computer networks, detected unusual activity on the Law Department’s computer system.
The next afternoon, June 6, city officials have said, they removed the department’s computers from the city’s larger network. Many remain disconnected.
De Blasio, in public appearances last week, said that the hack was under investigation by the New York City Police Department’s intelligence bureau and the FBI’s cyber task force. He said officials were not aware of a ransom demand being made or of any information being compromised.
Officials also said there was no evidence that the attack had damaged the city’s computer systems, though the investigation was still in an early stage. Investigators are still trying to determine the identity of the perpetrator and the motive.
“We’ve identified the…