JCOPE Update on Cyber Security Incident

The Joint Commission on Public Ethics is continuing its investigation and response to the recent cybersecurity attack on its web application server. Barring any additional findings by the State Office of Information Technology Services (ITS), the Commission anticipates that the electronic lobbying reporting and financial disclosure statement (FDS) systems will be back online by the end of next week (March 11). Any filings due during the outage will be automatically granted a 21-day extension. Additionally, the March 15 lobbying bi-monthly report deadline is extended to March 31.

The information security officials at ITS are nearing the completion of the forensic review process, which attempts to retrace the malicious activity step-by-step. While not yet complete, the review has established that the incident was the result of an attack on the JCOPE Legacy Lobbying Filing System (used from 2005 to 2018). This system had been retained to provide public access to those records and for lobbyists to submit amendments resulting from JCOPE audits and investigations. This legacy system will not be returned to service until further notice.

All underlying data that populates JCOPE systems is housed on a separate database server, and all credit card transactions are carried out via a third-party payment processing gateway – JCOPE stores no credit card numbers on its own system.  The forensic review process is ongoing, but other than the intrusion into the pre-2019 legacy system, there has been no direct evidence of any unauthorized access to user data or to the third-party credit card system. That said, we are continuing to look for any circumstantial evidence or other indicator that would suggest unlawful use of user information.

Once the forensic review is complete, JCOPE will return the lobbying and FDS systems – but not the pre-2019 legacy lobbying system – to service. “We expect operations to resume next week, but we will not sacrifice security and integrity in the name of speed,” said JCOPE Executive Director Sanford Berland.

At the same time, ITS is engaging in ongoing prophylactic exploit testing in order to identify and eliminate any security vulnerabilities beyond those in the since-deactivated pre-2019 lobbying filing system. This is a comprehensive long-term exercise, and any findings can be remediated while lobbying and FDS filing activity has resumed.

“Forensics will help us understand this incident and prevent a recurrence, but cyber-security is a constant game of cat-and-mouse,” said Berland. “This continuing test-and-fix process is crucial to our staying one step ahead of the next attack.”

The cyber-attack was first discovered by a suspicious activity alert on February 21, and all systems were taken offline by ITS as a precautionary response. Early forensics suggest that the attack came in through U.S.-based public IP addresses, but those easily could have been just the final stop on a global circuit.

The Commission has brought the incident to the attention of additional state agencies, including the Office of the Attorney General and the Department of State Division of Consumer Protection. Once final forensics are complete, the Commission will work with these organizations to ensure that any affected users are contacted and all legal obligations are met. Additionally, any information that can be gleaned from the review will be shared with law enforcement for investigative purposes.

“This has been a trying time for JCOPE, ITS, and the regulated community,” said Berland. “We thank everyone for their understanding and look forward to safely resuming operations as soon as possible”.

Additional guidance will be distributed to Lobbying and FDS filers before the systems are returned online. Lobbying filers should send questions to [email protected]. FDS filers should send questions to [email protected].