Suffolk County's IT department received nearly $4 million for security upgrades just months before a massive data breach, according to records from a legislative meeting.
Lawmakers allocated the funding on March 8 for technology upgrades, computer replacements and a disaster recovery project. The County Executive’s Office said some of those projects have been implemented within the Department, while others are currently underway.
During that March meeting, IT Commissioner Scott Mastellon touted the county's cybersecurity measures. He told lawmakers that the department has around 10,000 employees on high alert and works closely with the New York State Department of Homeland Security Emergency Services.
"We have significant safeguards in place that has positioned us well against any potential attack," Commissioner Mastellon told lawmakers during a March 2 committee meeting. "These capital projects will all have a positive impact on our ability to further implement and extend safeguards."
These precautions, though, did not protect the county against the latest cyberattack. Lawmakers launched a special legislative committee to investigate the source of the attack and identify how those taxpayer dollars earmarked for cybersecurity were spent.
The IT department reported that 27 devices, some that may cost between $20,000 and $30,000 each, needed to be replaced by the end of 2022, according to county records. It's unclear if that work was ever completed before the attack.
After another ransomware attack against an outside county vendor in December, IT administrators started to meet on a weekly basis to discuss safety measures. They also conducted simulated attacks for employee training as part of their cybersecurity awareness program.
In the months leading up to the breach, Commissioner Mastellon told lawmakers that they leveraged cybersecurity industry experts from Redland Strategies to support cybersecurity tabletop exercises—but those exercises happened "a few years ago."
Despite all these safety precautions, and millions of dollars in funding, the county's IT system was still vulnerable to an attack. More than a month later, the county continues the process of restoring services in departments such as the clerk's office - where people access title documents - and the Department of Social Services, where benefits have been impacted.
In June, the Suffolk County District Attorney's Office received an anonymous tip that there may be a potential cyberattack targeting another county agency. At the time, county IT employees said their checks revealed no malicious activity. The breach happened in September.
Kevin McCaffrey, presiding officer of the Suffolk County Legislature, said the goal of the special legislative committee is to reveal gaps in the system and alert other agencies to what they find. By learning what went wrong in Suffolk County, other municipalities may also be able to ensure they have robust cybersecurity measures.
"It's not a witch hunt," said McCaffrey. "It's really an investigation to make sure that we solidify all our cybersecurity."