Internal email confirms Northwest Florida court hackers obtained employee tax documents

Benjamin Johnson, Pensacola News Journal
·4 min read

Florida's First Judicial Circuit, which covers Escambia, Santa Rosa, Okaloosa and Walton counties, have been dealing with a cybersecurity breach in their administrative system since early October.

After Chief Judge John Miller confirmed personal data had been breached in the attack, the News Journal obtained an internal email that says law enforcement confirmed the attack compromised employee tax forms and other sensitive documents.

"One of our employees discovered that her W-4 form, and another employee's W-4 form, were on the 'dark web,'" the internal email states. "A photo of another employee's driver's license is on the dark web, along with a Peoples First ID number."

People First is Florida's online web-based human resources information system, according to the Department of Management Services.

ALPHV ransomware group may be to blame: First Circuit chief judge confirms personal data was breached in courthouse cyberattack

The email also says that Okaloosa County's confidential phone list was published, which houses the judges' personal cell phone numbers. Two employees have reported fraudulent credit card charges and another reported their personal email had been hacked, but the court email says they have not been confirmed to be a result of the cyberattack.

"Quite frankly, at this point, we just do not know the extent of the information obtained," the email says. "We are in the process of trying to obtain a list of employee names whose information might have been compromised directly from (Florida Department of Law Enforcement), because any other sources may or may not be legitimate."

What happened to the court system?

On Oct. 2, Escambia Trial Court Administrator Kasey Watson sent out a press release saying the First Judicial Circuit experienced an "information technology security event," impacting administrative court operations throughout the four-county area.

In a release on Oct. 9, Watson said the circuit is coordinating with law enforcement and external cybersecurity experts.

Escambia County Clerk and Comptroller Pam Childers told the News Journal that the local administrative structure, which is tied to the Florida Supreme Court's Office of the State Courts Administrator, was breached during the incident.

According to the Florida Courts website, OSCA was created in 1972 to serve the state's chief justice and carry out the justice's responsibilities as chief administrative officer, including the 20 circuit courts throughout the state. Each circuit has a local administrative structure that is presided over by that circuit's chief judge.

Who hacked the First Judicial Circuit?

The First Judicial Circuit has not confirmed the person or entity that hacked their system, but the communications team for global cybersecurity company Heimdal Security, which provides cloud-based cybersecurity solutions, reported that the ALPHV/BlackCat ransomware group claimed responsibility for the attack on its data leak page.

The ransomware group claims to have access to Social Security numbers of employees and a detailed map of the court's systems. Access to employee W-4 forms could give hackers access to an employee's first and last name, their Social Security number and their address.

Miller could not confirm or deny whether ALPHV/BlackCat caused the attack.

Court announces attack: NWFL courts investigating if personal information was breached in IT 'security event'

What is the ALPHV/BlackCat ransomware group?

The ALPHV group is thought to be a rebranding of the DarkSide/BlackMatter ransomware group that rose to global prominence after its cyber attack of Colonial Pipeline in 2021, according to the FBI's Internet Crime Complaint Center (IC3).

In April 2022, IC3 reported that ALPHV/BlackCat was the first ransomware group to successfully compromise 60 entities worldwide using the programming language RUST.

The group typically leverages previously compromised user credentials to gain initial access to victim systems, according to IC3, and infect it with malware.

Once the malware is in place, it will configure "malicious Group Policy Objects" to deploy ransomware throughout the system, disabling security features.

What is a ransomware attack?

According to Elizabeth Rasnick, associate professor with UWF's Center for Cybersecurity, a ransomware attack is when a person gains access to a system's data and then encrypts it to lock out the owner of the system and data.

"In order for (the system owner) to get access back, they would have to pay a ransom," she told the News Journal. "There's some type of ransom note, usually an email, that says, 'Hey, we've locked down your data, and it's going to cost this much to get it back.'"

Outside of paying the ransom, Rasnick says system owners could restore their data if they have a backup stored. If they don't have a backup, they must either go through the painstaking process of "piecemealing" the data together from outside sources or beginning from scratch.

Miller could not confirm or deny to the News Journal whether the courts have a backup system in place.

This article originally appeared on Pensacola News Journal: Escambia court memo says court hackers obtained employee tax forms