View All News Posts

Baltimore Stored Data On Local Hard Drives Before Ransomware Attack

October 4, 2019

Jigsaw ransom message with Saw characterOn May 7, 2019, Baltimore suffered a crippling ransomware attack that limited access to services, including online bill payments and municipal employees’ emails. Now, the city is trying to figure out what went wrong, and an audit has turned up serious issues with the Baltimore’s IT practices.

Auditor Josh Pasch presented his findings to the Baltimore City Council. Among the most remarkable takeaways: Many members of Baltimore City Information Technology store vital data on local hard drives — without an offsite backup.  

“One of the responsible personnel’s hard drive was confiscated and the other responsible personnel’s selected files were removed due to the May 2019 ransomware incident,” the audit reads, per a piece in StateScoop. “Due to the lack of data backup, the supporting data for the four selected measures were unavailable.”

Here’s how StateScoop describes the ensuing exchange:

Councilmember Eric Costello, who leads the audit committee and has been critical of BCIT’s performance since the May 7 ransomware attack, was struck momentarily incredulous.

“That can’t be right. That’s real?” Costello asked Pasch.

“Are you questioning the word ‘responsible?’” Pasch replied.

“No, I’m questioning whether or not they’re storing it on their hard drive and not on a server or a cloud,” Costello responded.

“One of the things I’ve learned in my short time here is that a great number of Baltimore city employees store entity information on their local computers,” Pasch said. 


The ransomware variant that hit the city was RobbinHood, a fairly simplistic piece of software. With a proper disaster recovery plan, Baltimore might have limited downtime and saved crucial data. Instead, the city scrambled to respond.

While we could easily criticize the city’s IT department, we should note that many hospitals, government offices, and enterprise-level businesses have similar levels of preparedness, which is to say that they’re wholly unprepared for a serious attack.

There are, of course, a number of reasons not to trust hard drives as primary media for mission-critical data; every hard drive will eventually fail, as is true of solid-state drives and other media, and no important system should have a single point of failure. Most government institutions back up data to offsite servers, which offer protection if an entire network is compromised, either through large-scale natural disasters or malicious attacks (including ransomware attacks). 

Earlier this week, we posted an article about the basics of preparing for ransomware attacks. We’d recommend checking it out. If your business hasn’t developed a disaster recovery plan — or if you’re still using hard drives as your sole means of data storage at any level — it’s never too late to change your habits. Until, of course, it’s actually too late.