Maryland Officials Alert County Agencies to Malware Threat in Public Information Act Requests

Maryland officials are warning county agencies and employees to be wary when handling requests under the state’s Public Information Act, after malware attacks using a similar scheme reportedly hit some county attorneys in Virginia.

Maryland Association of Counties (MACo) officials, who posted the warning last week, said they are not aware of any attempts against Maryland offices, but wanted to put local officials “on lookout mode.”

“We haven’t seen any instances of this happening in Maryland, but I just felt like it was a good opportunity to share this with our people,” said Karrington Anderson, associate policy director with MACo.

She posted the alert to the association’s blog last week urging county agencies and employees to “beware” malware scams that could come through links attached to PIA requests, after similar attempts were identified in Virginia using that state’s Freedom of Information Act (FOIA).

“Public Information Act (PIA) malware scams could target county governments,” Anderson warned in her Aug. 7 post. “In Virginia, counties are receiving FOIA requests as attachments that, once opened, contain malware.

“Not only is this malware capable of shutting down entire systems, but it also expends resources and require counties to spend significant amounts of money to repair the damage. The disruption caused by these attacks can lead to delays in government operations,” her post said.

The Maryland Department of Information Technology said that it has not identified any such attacks in the state yet.

“OSM (Office of Security Management) has not received any information regarding a malware attack directed at MACo. OSM has not been informed of malware attacks by any local agencies, counties, or municipalities we serve,” said a statement from Nathaniel Miller, a public information officer speaking on behalf of the Maryland Department of Information Technology.

Maryland’s PIA allows people to request information on the activities of state and local governments. The process to receive documents and information can be an arduous and time-consuming task, depending on the scope of the request. Generally, PIA requests are sent over email.

Anderson and other officials warn that malware disguised as links or attachments in PIA requests could compromise the security of county and state agencies if an employee mistakenly clicks on it, often known as a “phishing scam.”

Officials from the Virginia Association of Counties said they “did not have many details other than what Lancaster County Attorney James Cornwell said” in an article from a local newspaper, in which he was quoted as saying that “several” county attorneys had been hit by malware posing as a FOIA request. VACo said it alerted its members, and will monitor the situation.

That said, a successful malware attack could lead to multiple issues for county and state agencies, depending on the end goals of the attackers, according Dave Levin, an associate professor with the University of Maryland’s Department of Computer Science. He is also a core member of the university’s Maryland Cybersecurity Center.

Click HERE to read the full article