Overview
- Investigators say the intruder first gained access on May 14 via a trojanized administration tool delivered through a malicious search ad, leaving a hidden backdoor even after the initial malware was removed.
- The attacker installed commercial monitoring tools, used encrypted tunnels and remote desktop sessions, reached the password vault, wiped logs, and deleted backup volumes before triggering encryption on Aug. 24.
- Forensics found access to 26,408 files with 3,241 exposed, only one document contained personal data that prompted notification, and no confirmed evidence shows data was exfiltrated or posted on a leak site.
- Disruptions hit more than 60 agencies, including DMV office closures for over a week and a background check system that remained offline for about three weeks.
- Response spending totaled about $1.3 million for outside vendors and roughly $211,000 in overtime wages across 4,212 hours, with cyber insurance covering contractor costs as the state implements endpoint detection, tighter privileged access, and a centralized security operations center.