Baltimore’s budget office estimates a ransomware attack on city computers will cost at least $18.2 million — a combination of lost or delayed revenue and direct costs to restore systems.
The cost estimates were disclosed Wednesday at a City Council budget hearing as regular email service was restored for at least some Baltimore employees, the first public indication that the city’s technological recovery is showing signs of success.
The city’s information technology office has spent $4.6 million on recovery efforts since the ransomware struck May 7 and expects to spend an additional $5.4 million by the end of the year, officials said.
The other $8.2 million in impact is from potential lost or delayed revenue, such as money from property taxes, real estate fees and some fines.
The hackers demanded the city pay a ransom in bitcoins worth about $76,000 on the day of the attack, but Democratic Mayor Bernard C. “Jack” Young refused to pay. While the estimated cost of recovery is vastly higher than the ransom, the city still likely would have needed to spend money to bolster its defenses to prevent a future breach.
After hearing the news, Young said in an interview Wednesday night that he was going to “leave all of that to the professionals and we’ll just have to find the money” in the budget.
He added that he has talked with Democratic U.S. Rep. Elijah Cummings of Baltimore and plans to reach out to other members of Maryland’s congressional delegation to talk about getting financial help from the federal government because of “the virus that they let out,” referencing a New York Times report that a tool leaked from the National Security Agency played a role in the Baltimore hack.
As for the estimated cost and lost revenue being much larger than the ransom demand, Young said: “We’re not going to pay criminals for bad deeds. That’s not going to happen.” He added that even if the city were to pay the ransom, “there’s no guarantee that if you pay, you reset your system.”
Members of the congressional delegation have sought briefings from the NSA and federal law enforcement about the hack.
City budget director Bob Cenname shared the cost estimates at the council hearing. He said he didn’t expect to see a long-term hit to revenues, but some payments to the city had been delayed.
“Once we get through this bump, I don’t think the ransomware will have a huge effect,” Cenname said.
A summary of the cost estimate did not provide a breakdown of the projected $10 million in spending, but officials have said they’re working with outside experts to restore the network under arrangements approved by the city’s finance director.
The initial cost estimate is similar to a figure for Atlanta, which suffered a similar attack last year and that Baltimore officials have said they’re using for comparison. A confidential estimate obtained by the Atlanta Journal-Constitution put Atlanta’s costs at $17 million, but it’s not clear whether that included any effect on the city’s revenues.
Democratic Councilman Isaac “Yitzy” Schleifer said he was not surprised by the Baltimore estimate, given the experience of other jurisdictions. But he said council members are seeking a fuller estimate that would include lost productivity by city employees.
Schleifer said he expects the total cost to rise, adding: “There’s obviously a lot more where that came from.”
Since the beginning of the attack, employees had been without access to baltimorecity.gov emails. Many resorted to creating Gmail accounts as a workaround. That caused fresh problems, though, when Google’s security system flagged some of the accounts as suspicious and briefly suspended them.
Lester Davis, a spokesman for Young, said the city has successfully carried out a pilot to restore some email accounts. The city now will begin restoring accounts, prioritizing the police and fire departments as the system is rolled out. Davis said the email system now includes additional safeguards, but he declined to describe them.
“The situation is still delicate,” Davis said. “Folks are working through this. We’re taking our time.”
Officials have not given a timetable for how long the recovery will take, other than saying it could be months.
The city also restored some services with manual workarounds. While the city’s credit card payment system was knocked offline, residents with copies of bills could pay what they owed by mail or in person using checks or money orders.
After the city’s property market was halted by the attack, officials came up with a temporary fix, relying on sellers to sign paperwork promising to pay any outstanding bills once the systems come back online.
Sheryl Goldstein, a deputy chief of staff to Young, has said the city has been proceeding cautiously as it seeks to bring systems back online, not wanting to leave any weaknesses unaddressed.
“It is preferable for us to be safe and do it right than to do it fast,” she said in an interview last week.