Lombardo continues to promise transparency on cyber attack… eventually

By April Corbin Girnus

Nevada Current

The cyber attack that has crippled many of the State of Nevada’s services and websites did not compromise the state’s financial accounts or personal information data kept by the Department of Motor Vehicles, according to Gov. Joe Lombardo.

That was one of the few new details offered by the governor Thursday at a press conference on the cyber attack.

“To the best of our knowledge at this time, the data compromise did not include state financial information,” said Lombardo. “No state bank account, treasury funds, or state budget payment systems data appears to have been part of the breach.”

State officials previously confirmed that “some data” had been exfiltrated — moved outside the state network. Lombardo on Thursday said the exfiltration did not involve databases at the DMV, or client information at Supplemental Nutrition Assistance Program and Temporary Assistance for Needy Families, better known as SNAP and TANF.

Lombardo emphasized that information was preliminary, repeating the phrase “to the best of our knowledge.”

“If investigators eventually discover otherwise, we will follow Nevada’s strict statutes about personal data breaches by notifying any affected individuals promptly and providing resources to help protect them,” he added.

Lingering questions about the nature of the cyber attack, such as the identity of the attacker or attackers, the scope of the data extracted, or whether a ransom has been demanded, remain unanswered. Lombardo repeatedly said he could not answer any questions related to the ongoing investigation.

“Transparency during a cyber incident must be balanced with security,” he said. “Public updates can sometimes trigger more attacks.”

Lombardo said his office will be transparent “when the time comes.”

He said staff has and continues to work “24/7” on the incident, including through the three-day Labor Day Weekend. He said the state is tracking the labor costs but that he did not have an estimate on what the current total is. He added that the state has an insurance policy for such attacks and he expects that to help with the cost.

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation are both involved in the investigation.

The cyber attack, which the state has described as “ransomware-based,” was discovered on Sunday, Aug. 24. The following day, state employees were put on administrative leave as state offices like the DMV were shuttered and unable to provide services.

Since then, many services have resumed in-person service but are still unavailable online. Information on the current status of various state services can be found at oem.nv.gov/recovery.

Lombardo said the typical recovery timeline is “several weeks to months,” citing an IBM study, and Nevada is “moving well ahead of that projection.”

He added that “tomorrow would be the goal” for restoring all state systems and services “but more realistically it should be the next few days.”

Lombardo, who faced criticism last week for not attending the first press conference about the cyber attack, was asked whether he thought his handling of the incident would have any affect on his campaign for re-election next year.

The first-term governor responded that he thought it would have “no effect.”

“I think people in Nevada have confidence in my ability to address the crisis,” he added.

* * * * *

April Corbin Girnus is an award-winning journalist and deputy editor of Nevada Current. A stickler about municipal boundary lines, April enjoys teaching people about unincorporated Clark County. She grew up in Sunrise Manor and currently resides in Paradise with her husband, three children and one mutt.