Cleveland City Hall is closed again to the public after an unspecified cyber threat shuttered the government building and many of the city’s services for almost a full week.
Inside, the city keeps records including the personal information of hundreds of thousands of Cleveland and other Cuyahoga County residents, including birth and death certificates, permits, payment records and more.
As the days pass without an answer about what resident data — if any — has been affected, cybersecurity expert Erman Ayday said the lack of details about the incident itself can severely damage public trust.
"If you keep this type of sensitive information and if your system is breached, you need to notify the people who were affected as a result of this incident as soon as possible," said Ayday, a professor at Case Western Reserve University. "Typically, you will lose the trust of people if you are not transparent enough."
In a statement released earlier this week, a city spokesperson said they understand that transparency is important, but providing details could compromise an ongoing investigation. On Wednesday, city officials said the threat is contained, but still did not release any further information to the public or members of the media.
What can hackers do with residents' personal data?
Ayday said without knowing the nature of the threat affecting Cleveland, it’s hard to assess the danger it might pose, but hackers can sell personal data like Social Security numbers and bank information, which can lead to identity theft or fraud.
He pointed to major data breaches as examples: earlier this year, AT&T customers began filing class action lawsuits against the telecommunications company for a data breach in which 73 million people had their personal information stolen. In response, AT&T prompted users to reset passcodes and provided all customers whose accounts were breached with free identity theft and credit-monitoring services for one year.
"At least they could provide some countermeasures for their customers against identity theft because that's the most important thing as a result of this," Ayday said. "If people are aware this is happening, they can be more diligent when these scammers keep sending you emails or try to get money out of you. ... This may easily happen unless people are aware of the consequences and if they don't do anything."
Why are local governments a target for cyber attacks — and how have other cities handled it?
Cleveland is hardly the first city to experience a cyber threat.
Government entities are a common target for such attacks, according to Ayday.
"The city actually holds a lot of sensitive information about people living in Cleveland. Then obviously, that information becomes very valuable in black markets because that information can be used in order to do identity theft, scamming," Ayday said.
And unlike major companies with lots of resources, Ayday said local governments can be easier to infiltrate because of outdated software, equipment or insufficient staffing.
Even still, there are ways for cities to mitigate risk, like encrypting and backing up data. Cleveland officials did not answer reporters' questions at a press conference Monday about what systems were in place to combat such attacks.
Even with proper safeguards in place, Ayday said experienced hackers can – and have – infiltrated city systems.
"There was a saying that, you know, you are only as strong as your weakest link. It is almost always possible to find the weakest link to do these types of breaches," he said.
It could even be as simple as someone losing their government-issued phone or tablet, he said.
Cleveland officials did not confirm or deny if the attack was ransomware, a malware that blocks access to the victim's sensitive data or holds it hostage unless a ransom is paid, but such cases have happened elsewhere.
In Wichita, Kansas, a number of city services went offline for over a month after a ransomware attack in May.
In Dallas, Texas, a 2023 ransomware attack compromised the personal data of at least 26,000 people. The city offered two years of free credit monitoring and identity theft insurance.
In some cases, victims will cough up the ransom.
"Once they get [the ransom], they typically just give the systems back to the city," Ayday said. "The most important thing is the benefits versus costs. Because shutting down a city for a couple of days is a huge expense... And maybe you can actually find the solution yourself without paying the ransom, or you can just pay it and get your systems back. But it completely depends on how much ransom you end up paying versus how much you lose by keeping the city shut down."
Mayor Justin Bibb did not answer a reporter's question at a Monday press conference about whether he would pay a ransom.
City Hall will remain closed through the rest of the week.