County computers mostly back online; data breach under investigation

A data breach at Apprentice Information Systems, which led many Arkansas counties to shut down servers, has been mostly repaired, according to county officials.

Ouachita County Judge Robert McAdoo said, "It's my understanding that we are partially back up. AIS is still tweaking on some of the finishing touches we have to do."

Both the Ouachita County treasurer and clerks' offices were affected by the breach.

Ouachita County Treasurer Missy Chambers said, "For the treasurer's office. we have both of our computers back up. AIS called us Monday and Tuesday, we got all the back up in this office. What we are waiting on right now is getting our secure banking back up to full force. We're still able to do payroll. They have to get a paper check; we can't do direct deposit right now."

Scott Hollis, Union County's information services manager, told the Union County Quorum Court on Nov. 17 that the security breach, which impacted 54 Arkansas counties, was under federal investigation.

"We had a Zoom call with the State of Arkansas, Department of Information Systems and about 140 different other people around the state and they gave us some information -- not a lot, because there's an ongoing investigation right now. Both Homeland Security and the Cybersecurity Task Force with the National Guard are involved in that," he said.

Hollis said Apprentice workers noticed "suspicious activity" the Saturday before the election, Nov. 5.

"Their technicians went into the office and saw that somebody was attacking the systems, had encrypted their servers and was slowly working their way out to the different county servers that AIS had access to," he said. "So they shut everything down and attempted to shut down, remotely, the servers and they didn't have access to them."

From there, the company began reaching out to counties that utilize AIS software, to direct them to shut down any computers with the software.

Hollis said Cerberus Sentinel, a cybersecurity company AIS works with, identified a foreign hacking group as being responsible for the attack.

"They identified the group that did this as a Russian-Ukrainian group called BlackCat," Hollis said. "They didn't mention any money, anything about actual money being transferred... There was a question of whether it was a ransomware attack, if BlackCat asked for ransom, but they wouldn't say about that, so I figure that's an ongoing investigation, they're not going to talk about it until they know more.

"More than likely, they're not going to pay any kind of ransom. That kind of thing – people have stopped paying ransoms because there's no guarantee that they'll actually unencrypt your data. Once they have your money – they don't have to do anything, they can just move on, and people have started realizing that," he continued.

In September, Reuters reported that the BlackCat group, since November 2021, was responsible for up to 136 cyber-attacks on companies in the U.S. and Europe. Recovery from their attacks can cost up to $1.85 million, the outlet reported.

AIS had the data stored on its servers backed up, Hollis said, and the company was working to "rebuild the data" that was corrupted or encrypted in the attack.

Caitlan Butler contributed reporting to this story.