FULTON COUNTY, Ga. — Four weeks into a ransomware attack, Fulton County Commission Chairman Robb Pitts said they are unable to confirm whether any personal data is at risk.
Last month, county officials announced that a "cybersecurity incident" caused a widespread government system outage.
"I know there are more questions about whether or not citizens personal information may have been taken. I want to be straightforward with you and transparent: we still do not know," he said during a press conference Monday. "We want to get this right, and this review requires our teams to lead an extensive e-discovery process to carefully understand and review any data believed to be affected."
If they determine people's personal information is involved in this incident, Pitts said the county will notify those individuals as legally required and offer resources to help them.
But that could take weeks, months or even years, according to Rajiv Garg, a professor of information systems and operations management at Emory University's Goizueta Business School.
"It took two years for [TJMAXX] to figure out what they lost and notify people that your information could have been lost in this process," Garg said. "The data discovery process is tedious. It's time consuming. And a lot of times, it does not even capture the entire information. My advice is just assume that your data is lost and work with that."
There are three main things people can do.
He said that people should start with a review of what information they've given to Fulton County, like usernames, passwords and email addresses.
"As the Fulton County systems come back online, if you have an account, go in to change your email, password," he said. " Whatever email you are using with those accounts, make sure you change the password to those email addresses as welll."
Then, consider what financial information could be at risk, including your social security number.
"The way to protect this is essentially working with the credit bureau agencies and the third-party software companies that monitor the financial transactions that are happening with your bank account, the new accounts being opened, new loans being taken out," Garg said. "You can put a freeze on your credit, so nobody can make those changes or create new accounts for you."
Finally, he said to be aware of what's going on. That's where some of those identity monitoring services can help.
"Knowledge is important," he said. "If your data is out there, how could it harm you? What kind of data is it? Because for every individual, it's different, so just be aware of those things."
He said the sooner people take action, the better their outcome could potentially be.
"We should think that this data is out there. The goal is not being able to protect the data as much as it is protecting ourselves," he said. "We need to be proactive ourselves."