A new audit of Baltimore’s information technology department says the agency lost key data during May’s ransomware attack because some in the agency used an outdated method for storing files: the hard drives on their individual computers.
Baltimore City Auditor Josh Pasch presented his findings this week to a City Council committee. Pasch said the IT department was not able to provide documentation to support whether it was meeting its agency performance goals, such as modernizing mainframe applications and increasing the amount of data available on the city’s Open Baltimore website.
That’s because instead of saving data using a cloud storage method, as is recommended today, employees were saving files on their computers’ hard drives, as people did before and around the turn of the century, the audit found.
“Performance measures data were saved electronically in responsible personnel’s hard drives,” Pasch reported. “One of the responsible personnel’s hard drive was confiscated and the other responsible personnel’s selected files were removed due to the May 2019 ransomware incident."
Pasch said the lost and missing data results in a “loss of confidence” over whether the IT department was doing its job.
Hearing that, City Councilman Eric T. Costello, a former government IT auditor himself, stopped the hearing.
“That can’t be right? That’s real?” Costello asked.
“One of the things I’ve learned in my short time here is a great number of Baltimore City employees store entity information on their local computers. And that’s it,” Pasch replied.
“Wow. That’s mind-boggling to me,” Costello said. “They’re the agency that should be tasked with educating people that that’s a problem.”
In a written response to the audit, Baltimore’s IT director, Frank Johnson, who is on leave from the agency, wrote that he agreed with audit’s findings and would work to improve the department’s data storage practices.
Baltimore’s government was struck in May by hackers who sought tens of thousands of dollars from the city after infiltrating computer systems and shutting down a majority of city servers. Baltimore Mayor Bernard C. “Jack” Young refused to pay, and the FBI is investigating the hack.
Baltimore’s budget office has estimated that the ransomware attack on city computers will cost at least $18.2 million — a combination of lost or delayed revenue and direct costs to restore systems. The estimate includes about $10 million the city’s IT department will spend on recovery efforts by year’s end and $8.2 million in potential lost or delayed revenue, such as money from property taxes, real estate fees and some fines.
Baltimore is among the most heavily audited jurisdictions in the state, thanks to a mandate passed by voters in 2016 that requires agencies to undergo an audit every two years. City officials expect to complete 15 agency audits this year.
Costello, who is chairman of a seven-member Biennial Audits Oversight Commission, said he was pleased with the progress the city has made in moving toward more frequent audits.
Comptroller Joan Pratt reported that in 2018 auditors saved city taxpayers $959,986 by identifying waste or abuse.
“Three years ago, there were a lot of news stories about how audits weren’t getting completed on time,” Costello said. “To me it appears 15 audits are going to be completed this year on time as required by the charter. I’m glad that what we established together is actually working.”