Choreograph

Opinion: East Windsor still needs to address email hack

There has been specific and reckless malfeasance here in East Windsor that will affect the lives of residents and is violating our safety and security as citizens, and it is extremely serious. And this is not 1954 in Alabama, or 2010 in North Korea. This is 2022, in Central New Jersey. This is your backyard.

Our township servers were hacked in late February. We have no idea what was dumped, but at minimum our email and cell phone numbers are floating around Eastern Europe somewhere, being bought and sold daily. Our spam calls quadrupled, almost overnight. Emails that some of us sent to the township 5 years ago were sent back to us verbatim with instructions in broken English to open the attached form, which was a ransomware virus.

The hack was in late February, but residents started receiving these emails (and unfortunately, opening them) on March 1. There were 60 or so reports of this on the local Facebook group Citizens for East Windsor on that date, and they’re still there. But nobody was that concerned – most people don’t care about or understand cybersecurity, and they thought it was just run of the mill isolated phishing. Few people really sat down and thought about how their email address was obtained, or why they were getting their own emails replied to five years later with viruses attached.

When you pay your property taxes with a credit or debit card, the township has records of that. Was our banking information dumped as well? Dates of birth? Social Security numbers? No way for us to know. We will likely never find out. There are 30,000 people here who still have no idea. And we have no idea because the simple acknowledgement of a mistake by the township would make them look bad. And that will not be tolerated here.

The township was called repeatedly that week to alert them of the situation. Nothing happened. In the State Of New Jersey, by law, there are three things that you have to do when there is a municipal cyber breach: you have to notify the Department Of Homeland Security, the State Police, and the residents of the township. None of that was done.

After several weeks of municipal stonewalling, a few newspapers caught wind of what was going on. Articles were printed. No comment from the mayor. And thankfully, things were out in the open. Or so we thought.

Unfortunately, the township did the absolute minimum they could legally get away with. As residents, we eagerly awaited some long-overdue mention of what had occurred and how much of our information was compromised. And we got no emails from the township – they continued sending out the weekly email bulletin about summer jobs being available for camp counselors and the like. Nothing about the breach. To this day, no email about it has been sent to residents who receive the weekly bulletin. We have an emergency alert system called Nixle that the taxpayers fund, and it’s not cheap. No alerts.

Eventually someone noticed a very small crawl on the top of the municipal website about a “cyber incident”. So the 0.5% of residents that actually go to the town website may have spotted it. Likely not. And it’s the ultimate insult to our collective intelligence. The notice, which is still there, gives almost no information other than the falsehood that the breach was discovered by the township on March 7. That’s a week after all the phone calls to the township. A week after all the Facebook posts. And – you’ll enjoy this – the mayor is a member of that Facebook group. So is most of the local police department.

The simple lack of transparency is utterly amazing. The notice also states that a top security firm, which is not named, is investigating this incident. And if you believe that, there are several bridges you may be interested in purchasing.

The newspaper articles that were printed in the middle of March are now a month-and-a-half old and fading from memory, which is precisely as the township hopes. This is not surprising – a town of 30,000 people that doesn’t have an IT Department or even a single tech person on staff – you can see how much they care for the safety of residents.

We still love our town. We still think it’s something special. It remains a great place to raise kids. But we have a legal, moral and ethical right to know what personal information was released so we can actually try to protect ourselves in a world that is dangerous and getting worse. Thirty countries have instituted economic sanctions against Russia in the last two months. Russia fully intends to retaliate, and they will retaliate primarily with cyber attacks. Again – not speculation, this is fairly well-documented in the business press and on government websites. Russian hackers are very, very good, and they will be state sponsored and funded.

You don’t need to be told how serious ransomware has become over the last few years. It is an enormous growth industry for one simple reason – it works. Any family would gladly pay $300 to get 15 years worth of their family photos and home videos back. And for some guy in Siberia with nothing but a sack of beets to feed his family this week, that’s a lot of money.

We will never be safe without media exposure. These are our friends and our neighbors. These are good people living here.

Robert Williams
East Windsor