Nick Haffele was the interim director of Chatham County Management and Information Systems (MIS) when the ransomware attack which crippled the county’s system on Oct. 28 of last year occurred. …
Thanks for reading Chatham County’s leading news source! Making high quality community journalism isn’t free — please consider supporting our journalism by subscribing to the News + Record today.
Unlimited Digital Access: $3.99 for 1 month, $39 for 1 year.
Nick Haffele was the interim director of Chatham County Management and Information Systems (MIS) when the ransomware attack which crippled the county’s system on Oct. 28 of last year occurred. Haffele and his team helped direct and lead the recovery efforts, earning the praise of County Manager Dan LaMontagne and county commissioners for their tireless role in keeping county functions and services as uninterrupted as possible.
Though county officials have released no new statements about the incident in the last week — which ultimately led to the public uploading of some county data files after a ransom of 50 bitcoin (about $708,000) wasn’t paid to the threat actor making the demand — Haffele responded to questions from the News + Record via email.
Haffele was named MIS director in December 2020 after being appointed to serve in the interim role in June 2020. He also serves Chatham County as the Geographic Information Systems (GIS) manager, a role he has served in since February 2015. Haffele has held GIS roles in both the public and private sector including time with GeoComm, Branch County, MI (911), and Atos North America.
How was the breach discovered?
Chatham County Management and Information Systems staff found ransomware notes on encrypted servers when reporting to work on October 28, 2020.
Can you describe how you felt and what it was like for you after you were made aware of the breach? What was your immediate reaction, and how did you transition from that to a recovery game plan?
It was definitely a shock to the system at first, but we quickly transitioned to containment and mitigation of further propagation across Chatham County’s network. Our staff did a tremendous job to react quickly once the breach was discovered. We identified a recovery road map within 48 hours and worked towards prioritizing restoration of our most critical business systems.
What was your messaging like to your staff – what objectives did you communicate?
Our staff knew that we had a difficult road ahead, so my main focus was to remain positive and keep our recovery plan moving forward every single day. I cannot emphasize enough how professionally our staff handled the situation. They got to work immediately, supported one another and have kept a positive attitude the entire time.
How did you communicate, given that phones and email were down?
Thankfully we live in a time where multiple communication options are available. We utilized cell phones, temporary hot spots, Gmail accounts, etc., to keep lines of communication open between staff. We also held daily briefings with stakeholders to keep staff up to speed on the recovery plan and progress.
What in your training/previous experience prepared you for this?
Responding to an event like this is a team effort. It wasn’t going to be one person or department that would facilitate a successful recovery. MIS had developed a plan for response prior to the incident. Chatham County has also undergone multiple threat assessments in the past few years that helped guide our response plan and security measures. Additionally, my previous athletic experience helped me with responding to this event. We faced a lot of adversity and having the experience of working together as a team for a single objective helped keep things in focus.
Can you talk about those first days and weeks … how did you maintain your composure, your focus?
The most important things for myself and staff were to keep making progress, focusing on our priorities and remaining positive every day. It would have been easy to look at the totality of what we were facing and get frustrated, but my staff did a great job of moving ahead regardless of how much work there was to be done.
Can you discuss the process of wiping the county’s 500+ computers clean — how did you prioritize this work? And was all of it done by you and your staff? What was that like?
Our technical services support staff was able to complete the work of wiping and reimaging county computers without outside assistance. Our technical services supervisor prioritized this work based on guidance from our Emergency Operations staff on what departments needed computers back first.
Can you talk generally about what new safeties are in place to prevent this from happening again?
I can’t speak to specific technology, but I can say that mitigation of future events has been a main focus along with recovery post incident. No network is 100% secure, but we have implemented additional security measures to build a stronger network security architecture and will continue to do so moving forward.
What do you know, and what can you tell us, about how DoppelPaymer got in?
As noted in our February 15th news release it was a Phishing email that resulted in the breach. I can’t provide any more detail than that.
And how would you characterize what happened?
Some counties and entities have experienced attacks (an attempted breach that was ultimately not fully successful), while others have experienced breaches (where data was stolen). Our network was breached and most of our servers were encrypted. As noted in the previously mentioned news release, we are aware of data released by the threat actors and are working diligently with state agencies and legal counsel to notify all impacted individuals.
What was in place within the county’s system to stop attacks and attempted breaches as the threat actor made it through layers of security?
I cannot speak specifically to what types of security were in place prior to the attack, but I can say that we had technology in place to protect our network. As I stated in a response to a previous question, no network is 100% secure, and it will be a constant fight to protect our network moving forward.
What are the main tasks left on yours and the county’s to-do lists in regards to recovery?
We expect our recovery to continue into the second quarter of 2021. While our critical business systems are operational, there are a lot of ancillary business processes that have not yet been fully restored. MIS staff continues to work diligently to respond to the needs of our county staff to provide excellent service delivery to the residents of Chatham County.