The township of Montclair, New Jersey on Friday notified 17,835 people about a May 2023 ransomware attack that compromised their personal information.
The township admitted in July 2023 that its insurer, Garden state Joint Insurance fund, paid $450,000 to attackers in order to restore systems and recover data. It said some systems and data were not recovered at the time.
The new notification reads, “After an extensive forensic investigation, we discovered on March 25, 2024 that the systems, which, were accessed between approximately May 22, 2023 and June 1, 2023, contained some of your personal information as described in more detail below.”
No ransomware groups have claimed responsibility for the attack.
The township didn’t publicly disclose what or whose data was compromised, other than it contained names and driver’s license numbers. Montclair is offering free credit monitoring through Experian, which implies Social Security numbers could also have been affected.
Comparitech contacted the township of Montclair for comment, and we’ll update this article if it responds.
Even though the township paid a ransom, it cannot guarantee that the stolen data is now secure, so it would still be required to notify victims.
Ransomware attacks on government
Ransomware gangs frequently target government entities. Attacks on government organizations disrupt key infrastructure and services, such as 911 dispatch centers, sheriff’s offices, city councils, and utilities. Government staff are left without computer systems and have to resort to pen and paper. In some cases, organizations may be able to restore lost data using backups, but in many cases, they are forced to either pay extortionate ransoms or make the costly decision to rebuild their systems from scratch.
In 2023, 74 US government organizations confirmed ransomware attacks, affecting 309,810 records. The average ransom for confirmed attacks was $830,000 in 2023, and the average downtime was 14 days.
Elsewhere in 2023, the San Bernadino County, California Sheriff’s department paid a $1.1 million ransom, and Hinds County, Mississippi paid $300,000.
In 2024, 21 attacks have been confirmed so far, affecting 49,249 records. Washington County, PA in February confirmed it paid $346,787 in ransom.
About Montclair, NJ
Montclair is a township in Essex County, New Jersey. The population was about 41,000 people as of 2020, many of whom commute to New York City. It has no other cyber attacks on record.
All critical operations have been restored since the ransomware attack. You can see the mayor’s response to the attack from June 2023 below: