Full Report
The government of Union County in central Pennsylvania said a recent ransomware attack exposed information related to law enforcement and other government business.
Analysis Summary
# Incident Report: Union County, PA Ransomware Attack and Data Theft
## Executive Summary
Union County, Pennsylvania experienced a ransomware attack approximately 10 days prior to the public disclosure on Friday, March 14, 2025, leading to the confirmed exfiltration of personal information belonging to over 40,000 residents. The compromised data primarily involved individuals connected to County law enforcement, court matters, and other county business, potentially including Social Security numbers and driver’s license numbers. The county responded by engaging federal law enforcement and cybersecurity experts, and has initiated notification procedures while bolstering security tools.
## Incident Details
- Discovery Date: March 13, 2025 (Discovered)
- Incident Date: Approximately March 3, 2025 (10 days before March 13 discovery)
- Affected Organization: Union County, Pennsylvania Government
- Sector: Local Government
- Geography: Pennsylvania, USA
## Timeline of Events
### Initial Access
- Date/Time: Approximately March 3, 2025 (Inferred starting point)
- Vector: Ransomware attack (Specific initial vector not detailed)
- Details: Attackers successfully infiltrated county systems, leading to the deployment of ransomware.
### Lateral Movement
- *(Not explicitly detailed in the source material)*
### Data Exfiltration/Impact
- Date/Time: On March 13, 2025, the county learned hackers had taken personal information from the network.
- Details: Personal information, potentially including Social Security numbers (SSNs) and driver’s license numbers (DLNs), was stolen. Affected data is mostly related to individuals involved with County law enforcement, court matters, and/or other County business.
### Detection & Response
- Date/Time: March 13, 2025 (Discovery Date)
- Details: The ransomware attack was discovered. Federal law enforcement was notified, and cybersecurity experts were engaged for recovery. A public notice was published on Friday (March 14, 2025).
## Attack Methodology
- Initial Access: Ransomware deployment (Specific initial method unknown).
- Persistence: *(Not detailed)*
- Privilege Escalation: *(Not detailed)*
- Defense Evasion: *(Not detailed)*
- Credential Access: *(Not detailed, but necessary for data access)*
- Discovery: *(Not detailed)*
- Lateral Movement: Necessary to access relevant law enforcement/court files for exfiltration.
- Collection: Gathering personal data, specifically SSNs and DLNs.
- Exfiltration: Confirmed; personal information was stolen prior to detection.
- Impact: Data theft (PII/Sensitive Data) and likely operational disruption (implied by the need for recovery).
## Impact Assessment
- Financial: *(Not disclosed/estimated)*
- Data Breach: Personal information of over 40,000 residents, potentially including Social Security Numbers and Driver's License Numbers, primarily linked to law enforcement, court, and county business contacts.
- Operational: Disruption of county services; scope of service impact was not provided by officials.
- Reputational: Public notification issued to residents; potential loss of public trust.
## Indicators of Compromise
*No specific IOCs were provided in the source text.*
## Response Actions
- Containment measures: *(Implied by ongoing investigation and security tool updates)*
- Eradication steps: *(Implied by hiring cybersecurity experts and pursuing recovery)*
- Recovery actions: Engaging cybersecurity experts to aid in recovery; planning to send written notices to affected individuals upon conclusion of data review.
## Lessons Learned
- The county's ongoing engagement in cyberattacks, as part of a wider trend against local governments in early 2025, suggests systemic vulnerability in municipal security postures.
- The incident resulted in a significant PII breach involving highly sensitive identifiers (SSNs/DLNs).
## Recommendations
- Immediately review and implement enhanced security controls around systems containing highly sensitive PII, particularly data related to law enforcement and court records.
- Accelerate the review process to provide timely written notification to all affected individuals.
- Perform a comprehensive hardening of network defenses, focusing on preventing initial intrusion vectors that lead to ransomware deployment.
- Update security tools to enhance detection capabilities against known ransomware and data exfiltration techniques.