Bainbridge park district hit by cyber attack

Databases that contained the employee and financial records for the Bainbridge Island Metropolitan Park & Recreation District were destroyed by an internet hacker in late February, and the extensive cyber attack has left district officials writing hand-written checks to workers and vendors.

Parks executive director Terry Lande said the hacking was discovered when employees came to work Monday, Feb. 24 and they couldn’t connect to the district’s servers.

Three of the district’s servers — two at the parks headquarters at Strawberry Park and one at the Bainbridge Island Aquatics Center — were compromised.

The initial assessment was that park district data did not appeared to be downloaded by the hacker.

Instead, someone accessed the district’s databases and deleted files. Park employees soon learned that included all of the district’s financial data.

Lande said the cyber intrusion was discovered two Mondays ago when a parks employee had trouble launching server-stored programs and had trouble connecting to the internet.

But then it got worse: the bookshelves in the district’s electronic software library were empty. Payroll. Personnel. Vendors. Aisle after aisle.

“We were missing a whole bunch of stuff,” Lande said, including software for paying bills and doing payroll. Also gone was the software that allows the county to transfer tax funding to the district.

What wasn’t hit was any information from the public. Registrations for programs, account information from customers and similar data is actually maintained by outside contractors and is not stored in the park district’s databases, officials said.

“All public data was secure and safe,” said Mark Benishek, recreation division director for the parks district.

The park district’s website was also not impacted, as it is also maintained by an outside contractor.

The attack has been reported to local, state and federal authorities.

The park district’s insurance has turned to forensic scientists, and attorneys, to find out if any information from the park system was downloaded.

“We don’t know if they downloaded anything,” Landes said.

At a special meeting late last week, park commissioners adopted a resolution to increase the fund limit of its imprest fund — which is used to pay expenses that require a check — from $30,000 to $80,000 so payments could still be made while the district’s accounts payable system is offline.

The district’s multiple backup efforts may save the day, though.

Landes said there were multiple places where the district has stored copies of its digital records.

Since the attack, the initial work has centered on retrieving the great bulk of data that can be pulled off the cloud.

“We may be able to recapture everything we lost,” Lande said.

Given the time it is taking to download data back into the system from the cloud — which has already consumed the better part of a week and will likely take three weeks to finish — Lande said it appeared the hacker would have also faced a similar hurdle in downloading information.

“They only had about 30 hours,” he said.

“If they would have downloaded stuff it would have take a week just for the aquatics [server],” Lande said.

The district did not get a “ransom note” asking for money to restore the information that was taken, he said. That made the attack seem purely malicious in nature.

“It appears this was a search-and-destroy mission,” Lande said.

Benishek said the investigation launched by the district’s insurer will likely determine if any park district data was downloaded.

The three servers that were hit have been packed up and sent to investigators, he said.

Lande said the cyber attack was the first ever for the park district.

The discovery of the damage was demoralizing, he added.

“Your heart drops,” he said.

“It’s a rather strange experience,” Lande added. “It’s very offensive. The whole agency has been violated.

“Your stomach rolls over on you. Then anger. Frustration. All those things. Then you find out there’s a certain amount of guilt involved; ‘What could we have done to prevent it?’”

The biggest question is the motivation of the attacker. “Why?”

“Why do people behave that way? I don’t have answers for that,” Lande said.