City Hall on City Hall by Kelly Jordan

By Maggie Lee

Dozens of city elected officials and top staff lined up with Atlanta Mayor Keisha Lance Bottoms a week ago, as she stepped out of her office. She told the waiting mass of reporters and TV news cameras that it’ll be a marathon, not a sprint, to recover from a cyberattack that’s shut down some city online services and locked staff away from their files.

“We are dealing with a hostage situation. Just as we wouldn’t give away too much information if there were a physical hostage, we do have to be careful as we speak about timelines. But I can tell you we are working around the clock, we are asking the public to be patient,” Bottoms said at the time.

Atlanta City Hall and state Capitol statue. Credit: Kelly Jordan

What’s being held ransom by one or more cyberattackers is the city’s ability to operate all its computer systems. A week ago, some city bill-pay websites were shut down, cops were writing reports by hand, some municipal court operations came to a halt and and city staff couldn’t access some of their own documents. The city has yet to recover.

City Councilman Howard Shook told the New Yorker that 16 years of his official information was gone: emails, contacts, files.

Bottoms said the city is working with public and private partners including companies, Georgia Tech and federal agencies to get the city back in IT-working order. She said there’s a lot that needs to be done with the city’s digital infrastructure and the ransomware attack has sped that up.

Asked if the city would pay the ransom, Bottoms said that nothing is off the table.

The reported ransom demand of $51,000 for a city with $170 million in reserves is like a hacker holding a family’s data hostage for the price of a lunch, according to Chris M. Roberts, an analyst at Georgia Tech’s Institute for Information Security and Privacy.  In a post on a Georgia Tech website, he asked whether the city should have just paid up and gotten back to work. In either case, he said, nothing is stopping another attack until the vulnerabilities are patched.

But he wrote that maybe the city should be thanking the hackers for forcing an investment in IT security.

“A different style of cyberattack could have cost you much more money. Maybe now you will be able to prevent those kinds of attacks. For the time being, it looks like potholes will remain,” he wrote.

As far back as 2015, the city has been working on getting certified as measuring up to best practices in information security. At the city’s request, a company recently looked over the work to see if Atlanta was ready to be certified as measuring up to standards.

But auditors found numerous gaps that would have prevented the city from passing a certification audit, according to a January 2018 report.

The city was missing things like documentation, instead relying on employees’ institutional knowledge to configure systems. Auditors found almost 100 servers running versions of Windows 2003 software which has been declared obsolete.

Gaps in processing and reporting could allow security issues to go undetected or untreated for periods of time that would pose an increased inherent risk level to the city, auditors wrote.

The signed onto a to-do list 23 items long that would stretch through 2018 and 2019 to finish.

The AJC reports it has received leaked emails that appear to reveal months-old warnings of vulnerability to cybercrooks.

Atlanta City Council President Felicia Moore said last week that council members had been briefed by Bottoms’ office, but said that the executive branch is handling the day-to-day operations of the city, which includes response to the cyberattack. She referred most questions there.

“I think Council is working cooperatively with the executive branch, even in easing back and making sure that they have the time to deal with the issue,” said Moore. “I believe Council stands ready … to do whatever we need to do to help move forward any initiatives that we need to deal with this situation.”

By Friday, the city announced some more steps toward recovery, like beginning to accept payments for water and sewer bills and business licenses in person at City Hall. The city is posting updates on a special website.

But it looks like Bottoms’ office is done answering questions.

On Thursday, in response to an email question about any ransom payment deadline, a Bottoms spokesperson wrote that they will not be commenting further on the cyberattack.

Here’s the statement from the mayor’s office in full:

“Above all else, the City has a responsibility to secure and protect our system’s infrastructure and the residents we serve. Following the advice of our federal partners and security experts, we will not be commenting further on the cyberattack. We continue to take a critical look at our systems and processes in order to ensure that we have the ability to continue serving our residents.

City services including Public Safety (Atlanta Police Department, Atlanta Fire Rescue Department, Department of Corrections, 911), Water Services Operations, Public Works and the Airport continue to operate without interruption. However, it’s important to understand that our overall operations have been significantly impacted and it will take some time to work through and rebuild our systems and infrastructure. We appreciate your patience and support through this challenge and we are grateful that the City of Atlanta and its people are resilient and will use this event as an opportunity to invest in and build a stronger, safer digital City.”

Maggie Lee is a freelance reporter who's been covering Georgia and metro Atlanta government and politics since 2008.

Join the Conversation


  1. Wonder if good (meaning you can restore from them) backups of these systems were being taken. Perhaps they were also targeted in the attack. We really depend on information technology and it’s a shame that it takes something like this for people to wake up.

  2. Hold an entire city’s networking infrastructure hostage for 50k, whether for cash or bitcoin, seems highly unlikely….said perpetrators we’re probably paid more to perform such an act….which begs this question…..who has the most to gain from such an event ?….likely those individuals currently being investigated by the GBI, IRS, FBI and the SOS….. unfortunately this will backfire as now their are even more investigative eyes on the situations….

    Atlanta’s chief of police, Ericka “not the brightest” Shields recently announced that shoplifting calls in Buckhead will be ignored, due to ransomware attack….all police dash cam video is GONE ?!?!?!?….yet, no investigate materials were lost, court dates and ticket payments in shambles and the gravy at the end…..”PUBLIC SAFETY HAS NOT BEEN COMPROMISED”….

    all very convenient, similar to Watershed Department network falling victim to ransomware attack….where unpaid bills by politicians are, rather now, were found….same department being looked at for Open Records Request violations (ORR)….

    If it’s not missing emails that would validate assertions by Sgt. Warren Pickard was told to violate an ORR…it’s the CoA law dept that can’t find emails that would corroborate they had/gave/received permission to carry out “decisions”….


    just one big coincidence

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.