SALT LAKE CITY — Hacker attacks in January on websites belonging to Salt Lake police and the Utah Chiefs of Police Association resulted in losses of nearly $180,000, according to federal court filings.
Loss statements claim the chiefs’ website sustained losses totaling $147,000 and the police website saw an additional $32,797 in costs after the attacks.
Suspected hacker John Anthony Borell — who is awaiting a January trial for computer intrusion charges — claims in the court documents the discovery the government has provided “is so deficient that the defense had to hire an expert witness to advise on whether or not the claimed loss amounts are reasonable.”
A breakdown of costs from the Utah Chiefs of Police Association included in one filing includes a subcategory for “reputation control.” Defense attorneys from the Federal Public Defender’s Office also want further details about what constitutes “security audit,” “online support” and “telephone support.”
The public defenders also asked for additional information from the Salt Lake City Police Department over the tabulation of its loss statement, including what “system intrusion detection” was in place, whether the operating system and applications were patched, how data was stored and encrypted, and whether they used “public tools” to test security.
Industry expert and XMission President Pete Ashdown, who is not connected to the case, said those are important questions in trying to determine what the actual damages and costs were.
“The prosecution is shooting high for the most damages they can get and the defense is coming back and saying, 'Well, did you take proactive steps on your web server to make sure that it was secure?'” Ashdown said. “For example, if you leave the door unlocked you can’t really sue the person that manufactures the lock because of your own negligence.”
Ashdown said the matter of “reputation control” is a reasonable loss to claim.
“It kind of does affect the reputation of police as far as keeping us secure,” Ashdown said. “If they can’t keep their own website secure, can they really keep a city secure? So I would argue on the side of police that they have had some damage to their reputation. It’s somewhat laughable that they got intruded into and this happened, but it can happen to anyone.”
The case appears to highlight the broader issue of the countermeasures and costs that follow hacker attacks.
Ashdown said his company has come under attack before as well.
“There are costs associated with keeping a website secure and those should be ongoing costs, those should be operational costs to keep your website secure,” he said. “Whether your Internet service provider does it or your web designer does it or you have people in-house doing it, it’s an ongoing cost. If you don’t do it, you’re going to realize those costs after you get hacked.”
Restoring the website, bringing it back from backup are common tasks following an attack, and Ashdown said recreating the website can be extremely costly — depending on the nature of the site and the size of the operation.
Data breaches — including the one in Utah that involved a Medicaid server and left the personal information of 780,000 people at risk — carry their own costs.
Officials estimate that breach has cost $2.4 million so far. Utah Department of Health spokesman Tom Hudachko said $1.4 million has gone to the law firm for an audit of the state Information Technologies system and a forensic investigation of how the breach occurred. Approximately another $1 million was spent on credit monitoring for those whose personal information may have been compromised.
Hudachko said officials will have a better idea of the total cost by mid-December. For example, the cost to send out mailers informing those potentially affected by the breach has not yet been determined.
A study by the Ponemon Institute earlier this year found the average cost per record of a breach was $194, and the organizational cost was roughly $5.5 million.
Ashdown said in general terms, the estimates from the Ponemon study seem high.
“Mostly what happens when data gets stolen is identity theft. That’s the most common abuse of someone’s information,” Ashdown said. “I have a hard time believing that it’s upwards of $200 per record when you have millions and millions of records. It’s usually a small subset of those that they actually take advantage of, so I’m skeptical about those high costs, those million dollar numbers.”