SAN BERNARDINO COUNTY __ Interoffice Memo DATE: May 30, 2023 PHONE: 909-387-3755 FROM: THE OFFICE OF THE SHERIFF4¥\\\+) TO: ALL SHERIFF'S PERSONNEL SUBJECT | RANSOMWARE ATTACK Progress continues as we work to restore other systems and applications, some of which are more challenging than others. Efforts to decrypt and recover data that was encrypted during the attack continue. Unfortunately, it appears that a portion of our stored data may not be recoverable. With the complexity of our old system's hundreds of servers, it's unclear at this stage which types of data may be affected and all the applications that will be impacted. An outside vendor specializing in data recovery has been obtained, and TSD is working with them daily to recover our data in our legacy systems. However, all files contained in our share drives remain intact, and access has already been restored to a handful of stations and divisions, with more to follow soon. The version of the Inform report management system (RMS) we were using previously is no longer available, and the new version has compatibility issues that will make it ult to view on an MDC. Since a new RMS. was already being explored before the attack, it may make better sense to focus on implementing a new product instead of switching to the latest version of Inform. Two weeks ago, a vendor demonstrated a potential replacement system. Several representatives attended the presentation, including TSD, Records, Dispatch, Patrol, and the DA's office. Last week, a similar delegation visited that vendor's headquarters in Louisiana to assess their product further and interact with their current users. While a decision hasn't been finalized, the feedback received thus far has been very positive and encouraging, Our federal law enforcement partners are currently leading the ongoing criminal investigation into the \ividuals responsible for the attack, working in collaboration with our department and other law enforcement agencies. Although we are still uncertain about the extent of any potential data compromise, or extraction of data from our system, efforts are focused on uncovering these details to the extent possible. In other instances where government entities have fallen victim to ransomware attacks, the perpetrators have deliberately leaked employee data on the dark web to increase their chances of receiving a ransom payment. In contrast, it appears the group behind our attack has not previously released data when successful negotiations for a ransom payment were made. Your personal information is of the utmost importance to us. Since the beginning of the attack, a professional company and our federal partners have been monitoring the dark web for any indications of a data leak. There have been no signs of a data leak at this point. Nonetheless, as a precautionary measure, it may be advisable to consider utilizing a credit monitoring solution if you are not already doing so. We are working with HumanResources and the Insurance provider to determine if any additional identity protection programs may be provided to our employees. The Sheriff will update and address any concerns at our next department-wide meeting. Lastly, while we all rely on technology to make our jobs more accessible and efficient, it has been extremely gratifying to see the response from all of you when access to all those systems was lost instantly. We are proud of each one of you for keeping your heads up high and being patient while your jobs have invariably become more challenging, all while continuing to provide the high levels of service the public expects from us. ‘While we are looking at a months-long recovery period, with many challenges ahead of us, we will eventually be in a far better place in many aspects. Thank you all for your hard work and dedication. Page 2 of 2