In a report to a committee of the Baltimore City Council last week, City Auditor Josh Pasch said that the city’s Information Technology department could not provide any documentation of its work toward meeting agency performance goals because the only copies of that data were kept on local hard drives and never backed up to a server or the cloud.
As the Baltimore Sun’s Luke Broadwater reports, Pasch told the council:
Performance measures data were saved electronically in responsible personnel’s hard drives. One of the responsible personnel’s hard drive was confiscated, and the other responsible personnel’s selected files were removed due to the May 2019 ransomware incident…One of the things I’ve learned in my short time here is a great number of Baltimore City employees store entity information on their local computers. And that’s it.
The lost data, Pasch said, resulted in a “loss of confidence” in whether the IT department was accomplishing anything on its to-do list.
City Councilman Eric T. Costello interrupted the testimony to interject, “That can’t be right? That’s real?… Wow. That’s mind-boggling to me.”
In a written statement to the committee, Baltimore City Chief Information Officer Frank Johnson acknowledged the findings of the audit and said that his agency would work to improve the department’s data-storage practices. Johnson, however, is on “extended leave” from the agency. It is widely believed he will not return, according to sources in Baltimore City government who spoke to Ars Technica. Johnson, who was hired by the now-resigned Mayor Catherine Pugh, was previously a regional vice president of sales for Intel with no IT operations experience.
The “RobbinHood” ransomware attack against Baltimore City has thus far cost the city over $18 million. The process is made much more expensive by the widespread absence of data backups or any sort of disaster recovery planning. Over the summer, temporary workers were brought in to replace hard drives and monitors on affected computers, and new servers were purchased to replace those affected by the ransomware.
Ars has requested information from the city regarding the contracting details for the recovery, but the city has thus far provided no data. Requests for data on the status of patches and disaster recovery plans were refused because the documents do not exist as a result of the ransomware attack.