Kentucky city denies public records requests on hack attack; contends no data compromised

Published 4:59 am Friday, April 16, 2021

Scant information has surfaced regarding a hack into the City of Frankfort’s IT servers since news first broke of the breach a month ago.
No more came as a result of a round of open records requests filed by The State Journal for more information regarding the ransomware attack and the overall security of the city’s servers.
Three open records requests were denied last week based on Kentucky statute exemptions related to “a terrorist act” and attorney-client privilege.

Two requests sought records related to the city’s response to the hack and one asked for records prior to the city’s learning of the breach in mid-March regarding the city’s server security.

Two open records experts and advocates have called the city’s denial “nowhere close to sufficient” per state statute, particularly as it relates to a request asking for emails related to the security of Frankfort servers prior to when the hack was discovered.
In response to questions from The State Journal, City Clerk Chermie Maxwell — the primary records-keeper for the city — said that the city may have made a mistake in denying all potentially responsive records.

“Honestly, it looks like we just missed the dates on (the) third request since we have been so focused on the current events,” Maxwell wrote.

The response to that open records request is forthcoming.

Still, Amye Bensenhaver — a retired assistant attorney general who wrote open records and open meetings opinions for 25 years — quoted a recent Kentucky Supreme Court ruling against the University of Kentucky for blanketly denying a records request that might not have been entirely exempt.

“This is precisely the boilerplate response the Kentucky Supreme Court just declared wholly insufficient in UK v The Kentucky Kernel,” Bensenhaver said. “… The city needs to index the records, release any records that are not exempt, describe those that are and correlate the exempt records to the exemption in a response that is ‘detailed enough to permit the court to assess its claim and the opposing party to challenge it.’

“The city owes you a much better response under this two-week-old Supreme Court case.”

Michael Abate, a Louisville attorney who serves as counsel for the Kentucky Press Association, agreed with Bensenhaver.

“These responses are nowhere close to sufficient and you should press them for a more detailed response,” Abate said. “… What they’ve given you does not come close to satisfying their obligations.”

City Attorney Laura Ross said that, for the other two open records requests, the city asserts exemptions for attorney-client privilege and deemed “public infrastructure records related to information technology which, if disclosed, have a reasonable likelihood of threatening the public safety by exposing a vulnerability in preventing, protecting against, mitigating, or responding to a terrorist act.”

Those other requests asked for emails or messages specifically about the hacking incident from March 19 to March 30.
The full text of the request being processed again by city staff is as follows:

“Any public emails sent or received related to the security of Frankfort city servers

Please limit your search to all dates prior to Friday, March 19, 2021

Possible search terms: ransom, ransomware, phishing, data breach insurance, cybersecurity insurance, breach, firewall, network security system, p-drive, s-drive

The email sent by the entity that hacked into city servers that first allowed them access into city servers”

In response to a request for an update on the IT situation, city spokesperson Blair Hecker said that little has changed since the city asserted that “no data was compromised or removed” from its servers as a result of the hack.

“Nothing has changed since the update at the end of last week and we are still working on rebuilding and rebooting the rest of our IT systems,” Hecker wrote. “Once that’s finished, we’ll have a better update for you, should be sometime next week.”

The update came after the city responded to State Journal questioning last week with a press release, as well as another press release sent in mid-March closer to when the hack was first identified.

Two separate sources with knowledge of the situation — including one city employee — earlier told The State Journal that the city was being held ransom. Both spoke on condition of anonymity.

It is unclear if the city is still being held ransom. No city representative has confirmed or denied any involvement of a ransom.
Ransomware, a software that encrypts key files, allowing the hacker to demand ransom in exchange for their decryption, is a growing threat to organizations across the world. Recently, one of the largest public school systems in the United States was taken advantage of by hackers who demanded $40 million in ransom money.

The city had previously indicated it was engaged with federal law enforcement and its insurance provider in regards to the situation.

According to the city’s last release, its primary server is up and running and in use by city staff. However, some systems are still “offline and unavailable.” As Hecker noted, the city is in the process of “rebuilding and rebooting” some systems, with a potential finish date next week.

Already, the city has spent nearly $36,000 to purchase 60 computers for “updated malware and operating system upgrades.” Frankfort Mayor Layne Wilkerson confirmed earlier that the purchase was related to the hack.