The Sault Ste. Marie Tribe of Chippewa Indians reported that they had been the victim of a cyberattack earlier this year.
Tribal government operations, healthcare services and businesses shut down as a result. Now tribal members and employees are being told to secure their personal information. WCMU's David Nicholas spoke with reporter Teresa Homsi about the breach.
Editor's note: This transcript has been lightly edited for clarity and length.
David Nicholas: Teresa, can you start by explaining what happened?
Teresa Homsi: This is still an active investigation with the FBI, so some of the details are murky, but Feb. 9 is when the attack occurred and when the tribe became aware of it, according a spokesperson for the tribe.
It resulted in limited tribal government services, the closure of gas stations and casinos, and hotels, canceled events, down phone lines and restructuring of healthcare services and pharmacies.
In late February, Chairman Austin Lowes apologized for how “disruptive” the attack had been and said the tribe is strengthening its IT systems and expanding cybersecurity training for employees.
The tribe also announced they would not pay a ransom that the cyber-criminals tried to extort. In a recorded video released on March 5, Chairman Lowes explained that decision and said it was made in consultation with cybersecurity experts, legal counsel and law enforcement.
“We did not trust (the hackers) to keep their word, after all, they're criminals," Lowes said. "We could have paid the ransom, and they could have still leaked our data.”
DN: So what’s the current status?
TH: The tribe has restored most of its operations at this point. The health care division was the most impacted, and as of March 12, there were still posts on the tribe’s Facebook page with phone numbers to call for different health services.
But the tribe is conducting a forensic audit to figure out what kind of information was stolen. This is a lengthy process, they say, that requires the tribe’s IT team to manually review “hundreds of thousands of documents.”
DN: So what should people do if they believe their information may have been stolen?
TH: The tribe says it will reach out to members and employees if their data was compromised, but time is really of the essence here and you shouldn’t wait to lock down your personal information.
Some recommendations include contacting your credit card provider and setting up fraud alerts, changing passwords, and reaching out to one of these three credit reporting agencies to request a credit freeze. See more information at the bottom of the page.
I also spoke with a cybersecurity expert, Andrew Morin, who is a research assistant professor of cyber studies at the University of Tulsa. He told me that data breaches happen all the time, and you may not even realize you’ve been affected by it until it’s too late.
But to play it safe, Morin said people should set up a credit freeze to prevent anyone from opening new accounts in your name, without your knowledge.
DN: And we’ve heard a lot about how cyberattacks and scam incidents are increasing. This is also true for municipal systems, including local and tribal governments. Why is that?
The obvious answer is that many services are being digitized that previously weren't — think about how you pay your bills online — and so attacking a municipal system can be a way for cybercriminals to get a lot of personal information.
Smaller governments can be even more susceptible because they may not invest as many resources into their data security.
“My Social Security number, my bank account information, my address, all of that information is equally important to me, whether or not I'm in a small town or a big city of 500,000 people, right?" Morin said. "But the resources protecting that information are drastically different.”
Morin said phishing scams — where a cyber-criminal pretends to be someone else to get account information — is one of the most common causes of cyberattacks.
We may think of phishing scams to be super obvious, suspicious emails with typos, errors and a weird tone. But people overestimate their ability to detect these kinds of scams, and sometimes, they can be really convincing.
Last year, I reported on an incident in the Thumb where a utility department fell for an email phishing scam that cost them $189,000, and this was a "business compromise scam," where a scammer posed as a legitimate vendor.
Morin said that people, especially in small communities, should really petition their local governments to invest in cybersecurity and training to prevent these kinds of incidents.
"Talk to your neighbors about about their opinion on these things and see what kind of resources and tools there are for you as well," he said, adding that it's a "two-way street."
"A good idea for municipal governments to clearly communicate with their citizens about cyber risks and incidents and the importance of cybersecurity," Morin said.
Cybersecurity Tips for Individuals and Organizations
- Enable multi-factor authentication on your accounts to add an extra layer of security.
- Do not use the same password across different platforms. Use a password manager to organize unique passwords if you struggle remembering login information.
- Contact your credit card provider to set up fraud alerts on suspicious activity.
- Report scam messages to your email provider. There may be an option to report phishing or junk.
- If someone reaches out asking you to update your information or make a payment, reach out to the person through other means to verify their identity. They may have been hacked, but a phone call or message on another platform could prevent your account from being compromised as well.
- Establish a freeze on your credit by reaching out a credit reporting agency:
- Equifax (800-525-6285)
- Experian (888-397-3742)
- Trans Union (800-680-7289)
The tribal police department and FBI did not return WCMU's request for comment. WCMU will continue to follow this developing story.