On June 6, 2023, Mayor Sean Spiller published a recorded video message announcing that the Township IT Department experienced a “cyber incident”, claiming the Township immediately contacted the New Jersey Office of Homeland Security, the FBI Homeland Security and State law enforcement.
In fact, this “cyber incident” was ongoing for three months, since March 9, 2023, when the Township’s brand-new firewall failed and required an emergency purchase authorization. Emergency purchase authorizations are only permitted by law to prevent a situation that creates a danger to public safety and infrastructure of the Township.
A review of the invoice for emergency service documents the inability of the IT consultant in tandem with the Township’s CIO, Tony Fan, to repair or even replace the firewall over the two-month period from March 9, 2023 to May 11, 2023. As of May 11, 2023, the firewall still wouldn’t install the upgrade per the IT consultant invoice.
Residents Notified Nearly a Year Later
In mid-April 2024 Township residents received letters from the Township of Montclair Secure Processing Center advising them that they discovered the systems were accessed between approximately May 22, 2023 and June 1, 2023.
Data Breaches
It is incredulous that the Township’s IT department was unaware of any data breaches occurring between May 22, 2023 and June 1, 2023, especially in light of the unsuccessful three-month ordeal to install the firewall.
Other documentary evidence shows that a second IT consultant was on Township premises June 1, 2023 before regular working hours because of the “network cyber-attack issues”.
Carbon Black Cloud
These same invoices reveal that, miraculously, all the firewall issues were resolved with “Carbon Black Cloud” installations. Why wasn’t the Carbon Black Cloud installed earlier? Why did the Township wait for a complete system failure to occur before taking this action?
Ransom
The Mayor and Township Attorney unilaterally decided to pay a $459,000 ransom demand to the “threat actor” on June 30, 2023. The cyber insurance carrier reimbursed the Township on December 4, 2023, without performing any due diligence to determine that the “cyber-attack” or incident was legitimate. Furthermore, there is no Resolution approved by the Council authorizing either the Mayor or Attorney to make this payment in violation of Local Public Contracts Law.
A Northjersey.com article, dated May 9, 2024, interviewed former Montclair councilor Peter Yacobellis “who recollected that the council did vote to remit the ransom”, however records show there is no Resolution memorializing the vote and no mention of the “cyber-attack” in any of the executive session minutes. Yacobellis also reported that the council had been warned “that personal data was being held as a fail-safe to ensure the ransom was received”.
Coveware (Ransomware Recovery First Responders) was engaged to assist the Township in recovering property that may have been stolen or encrypted and facilitated the ransom payment in cryptocurrency to the threat actor. As residents were informed in April 2024, the “unauthorized actor” accessed various personal data including names, addresses, account numbers and social security numbers.
Rao Case
Additionally, the Township’s defense attorneys in the Padmaja Rao (CFO) v Township of Montclair v Timothy Stafford “hostile workplace environment case”, wrote to the plaintiff’s attorney on January 11, 2024 that many of the documents requested in discovery remain inaccessible due to the “malware attack”. Rao Case
The characterization of Township records being “inaccessible” is not synonymous with personal data being stolen or encrypted. And, if files and other data sensitive to this lawsuit were not released, why was there no follow-up by the town after the payment of the ransom?
Independent Employment Practices Investigation
Included in the list of inaccessible documents requested in discovery is the Lindabury McCormick Estabrook & Cooper “independent employment practices investigation” report that purportedly supports the Township’s position that there was insufficient evidence to support a finding of an abusive or hostile work culture.
A review of the Lindabury invoices obtained through the Open Public Records Acts shows a clear pattern of collusion between Kathleen Connelly of Lindabury and the Township Attorney, Paul Burr including phone calls and email exchanges after every interview and multiple revisions by Burr to the “independent” report written by Connelly. Furthermore, despite there being 36 other attorneys on Lindabury’s staff, not one reviewed the report written by Connelly and revised by Burr, as described above.
Again, on January 26, 2024, the Township’s defense attorneys advised the plaintiff’s attorney that those same inaccessible records are designated confidential.
It is illogical and irresponsible to pay a ransom if files are not returned, especially files critical to the “hostile workplace environment case”.
The hostile workplace environment case resulting from the Township’s refusal to take corrective action with regard to the internal report prepared by Bruce Morgan, the Affirmative Action Officer also includes multiple allegations of fraud committed by several of the council members and other egregious acts of fraud committed by the former mayor, Sean Spiller.
The former mayor committed multiple acts of retaliation against the CFO. (Spiller Retaliation) Claims that files sensitive to the workplace harassment suit as well as finance department records are inaccessible due to the “cyber-attack” are indefensible. In fact, the evidence proves the former mayor exploited the “cyber attack” to provide additional cover for obstruction of discovery. That any educated, rational person would take the actions Sean Spiller took defies any reasonable explanation. Reviewing the evidence, one can only conclude that Spiller took these actions solely for his own personal benefit.
Montclair Progressive or Corrupt 