'We're trying to be protective of your information'

COEUR d’ALENE — For the first time in more than a month, a city official addressed the February cyberattack that shut down the city’s network and caused myriad problems.

“We had a malware incursion,” Mayor Jim Hammond said during his State of the City speech Tuesday before about 175 people at The Coeur d’Alene Resort.

Hammond said people have asked him what happened and what the city did in response, but attorneys and cybersecurity experts have advised the city not to share that information. 

Revealing details of a cyberattack “just emboldens those people,” Hammond said.

“It’s not that we’re hiding it. It’s that we're trying to be protective of your information and our employees,” he said.

The city shut down its computer network after malware was detected in its system Feb. 11. The city's website was offline, records were not accessible and phones were down for several days but are back up now.

In the city’s Feb. 12 press release on the subject, it said the city was working with nationally recognized third-party cybersecurity and data forensics consultants and following industry best practices while developing a strategic plan to address the issue. 

“In an abundance of caution, we have taken affected systems offline while we work to secure and restore services safely. 911 and emergency resources continue to operate,” the release said.

The city has since brought its network back online.

A Feb. 14 letter from the Idaho Attorney General's Office said the “data security incident” involved “acquisition of personal information.”

"Through the investigation, the City found that certain devices on its network were encrypted by malware,” attorney Matt Meade, of the firm Eckert Seamans Cherin and Mellott, wrote. “On Tuesday, Feb. 13, 2024, the City discovered that this incident involved unauthorized acquisition of personal information, as defined by Idaho law.”

Meade wrote that the city "will be providing written notice to the identified impacted individuals, together with an offer of complimentary credit monitoring."

Idaho Code 28-51-105 requires an Idaho public agency to notify the Attorney General’s Office within 24 hours of discovering a breach of its security system.

Hammond said it is difficult to protect yourself from cyberattacks. He said that according to a Forbes article dated May 5, 2023, one in 31 organizations worldwide experience attacks weekly, which equates to four companies every minute.

“It’s really difficult to be completely foolproof,” Hammond said.

To enhance its security and help prevent similar occurrences in the future, Hammond said the city took several steps, including:

• Deployed advanced security tools to enhance detection and accelerate response to cyber incidents.

•  Conducted enterprise-wide password reset.

•  Installed hardware and system enhancements.

“We want to make sure we are doing everything we can," Hammond said.