“Bumbling” NYPD contractor nearly infects fingerprint database with ransomware
The New York Police Department is blaming a “bumbling” contractor for a ransomware infection of roughly two dozen devices connected to the department’s LiveScan fingerprint tracking system, CPO Magazine reports. The ransomware never executed, and the department’s database was reportedly saved by being taken offline overnight.
The infection spread accidentally from a computer used by contractor installing video equipment at a training facility, and was detected within a matter of hours, according to the article. The contractor had plugged an NUC mini-PC into the police network, and was referred to NYPD cyber command and a Joint Terrorism Task Force, though never charged with a crime. Software was reinstalled on some 200 computers system-wide, and the biometric fingerprint database was back up and running the next morning.
“The fact that the malware has worming capability, meaning it can spread from one computer to the next, is reminiscent of the WannaCry attack,” Juniper Threat Labs Head Mounir Hahad explained to CPO Magazine. “We do not know if this attack is WannaCry, but we should all remain cautious about the leftover infections. Threat researchers continue to see a healthy background noise of previously infected computers that continue to infect other devices using the EternalBlue exploit over the SMB protocol. Fortunately, they rarely trigger the encryption routines because of the presence of the kill switch domain.”
Had the attack been successful, it is likely that some or all of the data would have been lost, and possible that it would also be exfiltrated from the system, in what would have been the largest publicly-known theft of biometric data ever. Further, the NYPD kept a database of fingerprints from juvenile delinquency records in direct violation of state law until recently, according to The Intercept.
The NYPD destroyed the database in November, according to Legal Aid, which had been fighting the department over the retention of the data. How long records were accumulating in the database is uncertain, but Legal Aid lawyers estimate their may have been thousands of fingerprints retained illegally.
According to CPO Magazine, public institutions are increasingly targeted by ransomware attacks, and should all put policies and procedures into place to be ready to mount an attack response, as the NYPD was.
The NYPD has been lauded for its use of best practices in using facial recognition to conduct rapid investigations, but the department has also been accused earlier this year of violating best practices with its DNA and facial recognition systems.