EXCLUSIVE – City of Augusta, GA: this is perhaps one of the largest government data thefts in recent years in U.S.

EXCLUSIVE - City of Augusta, GA: this is perhaps one of the largest government data thefts in recent years in U.S. 1

This article will serve to retrace, documenting them, the various steps that led us to have an exchange of numerous emails with the BlackByte ransomware group. We will tell, through a series of data, what damage the computer attack and the consequent theft of documents caused to the City of Augusta last May 21st. But above all we will list which type of documents, among these many PHI and PII of citizens and employees of the city, are still available on BlackByte.

We recall that a total of 34,004 documents stolen from the city’s servers, in addition to several hundreds of e-mails present in the e-mail accounts of 12 employees of the Municipality and those present in the 6 Outlook backups.

On the evening of May 29 we write the first email to BlackByte asking for information on its recent cyber attack against the city’s IT systems, in the email we highlight the fact of the presence of sensitive PII data and ask if there is also PHI data. We also ask about the May 25 statement in which the Mayor of Augusta says that the $50M ransom reported by some media is not true.

EXCLUSIVE - City of Augusta, GA: this is perhaps one of the largest government data thefts in recent years in U.S. 2

 

Here’s what they told us a few hours later

EXCLUSIVE - City of Augusta, GA: this is perhaps one of the largest government data thefts in recent years in U.S. 3

So the news that appeared on a website of a local TV station in Augusta, which spoke of a $50M ransom, was denied not only by the Mayor, but also by the author of the cyber attack.

We also tried to ask BlackByte if the attack had been carried out thanks to social engineering techniques, but they replied that they used their own techniques and would not share them with us

EXCLUSIVE - City of Augusta, GA: this is perhaps one of the largest government data thefts in recent years in U.S. 4

In the following days we came into possession of the documents exfiltrated to the City of Augusta, the amount of data, once extracted from the zipped archives, is 83GB between files in .pdf, Excel, Word, text files and .pst files. A total of 34004 files and 7420 folders.

Total files and folders exfiltrated by BlackByte
Total files and folders exfiltrated by BlackByte

A part of these documents, 3093 folders and 10796 files were already contained in the 10GB of compressed data that BlackByte had published on its blog in the days following the cyber attack.

In the 10GB we had found several sensitive documents such as PHI and PII as we had already had the opportunity to document in our first article, as well as several Excel files that contained Password and User Accounts (some, we think, of private accounts) of an employee of the Municipality and a another Excel file with city employee data

  • Full names
  • Windows Login Accounts
  • Department
  • Email Address

The list of 132 homeless people in Augusta with photo, full name and surname, date of birth. Also sensitive data, as well as a variety of PHI and PII documents, of an employee

  • Medical reports
  • Health Coverage
  • Form W-2
  • Retiree Account Statement (RAS)
  • military info
  • tax2020
  • tax2021
  • tax2022
EXCLUSIVE - City of Augusta, GA: this is perhaps one of the largest government data thefts in recent years in U.S. 5
Employee health summary
EXCLUSIVE - City of Augusta, GA: this is perhaps one of the largest government data thefts in recent years in U.S. 6
A 2012 tax form for a city employee included their name, SSN – Redacted by SuspectFile.com

We had also found a medical record of a citizen born in Ghana.

The health document appears to belong to a citizen residing in the state of Ghana or in any case born in Ghana and who currently appears to hold the position of CEO of one of the most accredited Ghanaian banks. We could not understand why this document was in the memory of one of the servers of the City of Augusta

EXCLUSIVE - City of Augusta, GA: this is perhaps one of the largest government data thefts in recent years in U.S. 7
Ghanaian-Citizen-Health-ID

We found additional sensitive PHI and PII documents, our searches led us to speculate they may belong to a possibly now retired City employee and his wife

EXCLUSIVE - City of Augusta, GA: this is perhaps one of the largest government data thefts in recent years in U.S. 8
Life Insurance – Redacted by SuspectFile.com
EXCLUSIVE - City of Augusta, GA: this is perhaps one of the largest government data thefts in recent years in U.S. 9
Employee Medical Record
EXCLUSIVE - City of Augusta, GA: this is perhaps one of the largest government data thefts in recent years in U.S. 10
Employee Annual Salary – Redacted by SuspectFile.com

We found dozens of employee payslips from 2011 – 2020

EXCLUSIVE - City of Augusta, GA: this is perhaps one of the largest government data thefts in recent years in U.S. 11
Employee paycheck โ€“ Redacted by SuspectFile.com
EXCLUSIVE - City of Augusta, GA: this is perhaps one of the largest government data thefts in recent years in U.S. 12
Employee Driver License (expired in 2021) – Redacted by SuspectFile.com
EXCLUSIVE - City of Augusta, GA: this is perhaps one of the largest government data thefts in recent years in U.S. 13
Employee Information Form – Redacted by SuspectFile.com

Regarding the emails in the 83GB of data, we found a total of 10.6GB of emails in 21 .pst archives, 5 of them are backup files. These are emails dated from 2004 to 2023, mainly emails where work information is exchanged between the various employees of the City of Augusta, even if the content of some of these emails shouldn’t have beenย on a server of a public institution because, in our opinion deal with private matters.

EXCLUSIVE - City of Augusta, GA: this is perhaps one of the largest government data thefts in recent years in U.S. 14
pst-files

In the “Exchange.pst” folder we found emails dated May 2023, some of these contain Word or Excel files of work reports from the “Fire Department/Emergency Management Agency” of the City of Augusta.

EXCLUSIVE - City of Augusta, GA: this is perhaps one of the largest government data thefts in recent years in U.S. 15
Exchange pst – Redacted by SuspectFile.com

In other emails we found health documents attached to emails, two of these emails had two PHI documents attached belonging to the same person, a minor at the time.

EXCLUSIVE - City of Augusta, GA: this is perhaps one of the largest government data thefts in recent years in U.S. 16
Preparticipation-Physical-Evaluation-2018ย  – Redacted by SuspectFile.com
EXCLUSIVE - City of Augusta, GA: this is perhaps one of the largest government data thefts in recent years in U.S. 17
Preparticipation-Physical-Evaluation-2019 – Redacted by SuspectFile.com

Mayor Garnett L. Johnson released a new statement where the situation on the functioning of the services that had been interrupted after the cyber attack is updated.

The Mayor declares that the Augusta IT department and external specialists are collaborating to restore the services interrupted due to the cyber attack of last May 21st. He reaffirms that Augusta or his associates have never been in contact with the criminal group that claimed responsibility for the attack on the IT systems.

The statement posted on the Institutional website goes on to report that many services have been restored except for three major systems being restored

  • Geographic Information Systems (GIS)
  • the enterprise asset management system that depends upon GIS
  • the solid waste operations system

services which – continues the Mayor – should be restored within the next two weeks.

It is precisely the GIS that has been the most affected by the BlackByte ransomware group, a large part of the exfiltrated documents belong to this Department. A total of almost 30GB, almost half of the total exfiltrated data. Among these are land maps, building plans, building permits, analysis and conditions of the territorial waters of Richmond County, 2018 aerial maps of Augusta Regional Airport, a 2010 homicide map and much more, as we can see from the next screen shots that we publish

EXCLUSIVE - City of Augusta, GA: this is perhaps one of the largest government data thefts in recent years in U.S. 18
This screencap shows a directory of GIS files totalling 12GB. The majority of files were .pdf files
EXCLUSIVE - City of Augusta, GA: this is perhaps one of the largest government data thefts in recent years in U.S. 19
This screencap shows a directory of GIS-Maps files and projects totaling 11GB. Most were Excel, Word and .pdf files
EXCLUSIVE - City of Augusta, GA: this is perhaps one of the largest government data thefts in recent years in U.S. 20
This screencap shows a directory of seven archives of GIS files totalling 6.6GB. The majority of files were .pdf files or .doc files.
EXCLUSIVE - City of Augusta, GA: this is perhaps one of the largest government data thefts in recent years in U.S. 21
This screencap shows a Sheriff directory of GIS-Maps files, with subdirectories containing Augusta Regional Airport 2018 Aerial Maps documents, a 2010 Homicide Map, Downtown Cameras, Police Areas, Police Zones, and much more

On Thursday 8 June we wrote an e-mail to BlackByte asking if during the cyber attack the backup files had been deleted and if they still had access to the city’s IT systems, this is their reply

EXCLUSIVE - City of Augusta, GA: this is perhaps one of the largest government data thefts in recent years in U.S. 22

On Thursday 8 and Friday 9 June we wrote to the Mayor of the city and asked for a statement on the case and on the exfiltrated data, published on information websites. We have not received any responses prior to the publication of this article.

The article will be updated in case of new details

 

EXCLUSIVE - City of Augusta, GA: this is perhaps one of the largest government data thefts in recent years in U.S. 23