A ransomware attack apparently corrupted some of the data at the Palm Beach County Supervisor of Elections Office in 2016, but state and federal officials were not told about the attack for years.
The cyberattack — which became public this week after current Palm Beach County elections supervisor Wendy Sartory Link discussed it in a Palm Beach Post editorial board meeting — raises questions not only about what could happen if other elections offices across the state are hit with ransomware attacks, but also about whether the public would know if they were.
Then-Gov. Rick Scott, who is now a U.S. senator, was not notified of the reported ransomware attack in 2016, his Senate office said. The Florida Department of State also said it was not told about the attack in 2016.
The previously unreported incursion occurred in September 2016, Link told the Tampa Bay Times, under the watch of her predecessor, Susan Bucher. Link said she found out about the attack in November 2019 from one of her IT specialists after her former IT director had been fired. Link said she then reported the cyber incident to the state, the FBI and Homeland Security.
Link said she has since been told the office had been infected with a type of ransomware known as a zepto virus. She said she did not believe the attack was tied to Russian interference efforts in the 2016 election.
The Times was not able to reach Bucher on Thursday. In a Thursday interview with the South Florida Sun-Sentinel, Bucher, who was suspended in 2019 by Gov. Ron DeSantis after he said she failed to properly conduct recounts in the 2018 election, said she can “swear on a stack of Bibles” that the cyberattack described by her successor did not happen.
Link, who was appointed by DeSantis to replace Bucher, said she has spoken with the fired IT director as well as employees in her office regarding the attack, saying they described seeing files that suddenly couldn’t be accessed or whose names had changed, and pop-up text boxes demanding payments in order to get the files back. She said employees described moving frantically to contain the infection, saying the IT director at the time screamed for employees to shut down the servers.
Link said she does not believe any ransom was paid. She said the majority of files were able to be restored with backups. She was not able to say exactly which files were affected, but said she did not believe it impacted the voter registration system.
Link said employees were recently able to find thousands of pages of code that had been printed out at the time of the virus. She said she sent those pages recently to the FBI.
She also said her office has been working with the U.S. Department of Homeland Security and other agencies to do a further review of her office’s systems ahead of the 2020 election.
“We feel very confident that we’re in very good shape now,” Link said, adding that under her watch, her office will immediately report any issues to the proper agencies. She said voters should feel good about her office’s efforts to ensure the integrity of the election.
Still, she said, “the bad actors that are doing these things, they come up with new things every day.”
Florida’s 2020 presidential primary is March 17.
The revelation about the hack and the fact that it had gone unreported for more than three years has raised concerns in a state that tends to be closely watched by the nation on Election Day.
“This is very typical of what’s going to be happening, not only with the Russians and the Chinese and other state actors, but increasingly we have this kind of unfortunate opportunity for bad actors to use high technology to pull off these things,” said former U.S. Sen. Bill Nelson, who warned voters about cyber attacks during his losing 2018 reelection campaign. He said Thursday that he had not been told about the ransomware attack in Palm Beach County in 2016.
This is certainly not the first time the public has been kept in the dark about incursions on elections infrastructure. It wasn’t until last year that Floridians found out that two counties had been hacked by Russians ahead of the 2016 election. Which two counties they were remains a mystery for the public.
The apparent decision for Palm Beach County to not report the attack to the state or other agencies is surprising, said Maurice Turner, deputy director of the Internet Architecture project at the Center for Democracy and Technology.
Any ransomware attacks ought to be reported to officials so that agencies can work together to understand whether they are dealing with an isolated incident or a potentially coordinated attack, he said.
“This was absolutely serious. It’s something where, at a minimum, officials should have been notified,” Turner said. He added, “Wouldn’t it be weird if someone broke into city hall and stole a bunch of files and no one ever reported it?”
Turner said ransomware attacks are one of the more likely threats facing election infrastructure. He said changing votes is only one way to disrupt an election; an attack in another part of the system could also affect an election’s functioning.
Turner noted that virtually every industry has been affected by ransomware attacks, and elections offices are no different.
A number of cities in Florida have been affected by ransomware attacks in recent months, including the city of Riviera Beach, in Palm Beach County. Private companies have also been hit, including the Tampa Bay Times.
“It only takes messing up a single time in order for the entire infrastructure to be infected with ransomware,” Turner said.
Tammy Jones, president of the Florida Supervisors of Elections, said elections officials are much more likely to report any cyber attacks now than they would have been in 2016, especially given news about attempted interference in elections that has come out since that election. She said supervisors now have stronger relationships with agencies like the Department of Homeland Security and the FBI, and protocols are now clearer.
The Florida Secretary of State Laurel M. Lee said in a statement that her office takes election security seriously, noting for instance that it has five dedicated cybersecurity navigators to provide direct assistance to counties.
“The department is working with each supervisor of elections to address any weaknesses or vulnerabilities that are identified in their county prior to the 2020 elections,” Lee said.