Likelihood: HIGH
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is HIGH because the attack vector — password guessing against MFA-absent accounts — is low-skill, widely automated, and the county's authentication gap remains unconfirmed as remediated; this class of attack is actively exploited across public-sector entities with similar control postures. Impact is HIGH because the confirmed outcome includes $1M extortion payment, two terabytes of government records now outside organizational control with no enforceable deletion guarantee, and compounding exposure from potential future disclosure of that same data.
Treatment rationale: The root cause — absence of MFA on externally accessible accounts — is a remediable technical control gap, making risk reduction through direct mitigation (MFA enforcement, credential hardening, exfiltration detection) the only treatment that addresses the actual attack surface; transfer alone cannot offset the reputational and regulatory exposure from already-exfiltrated data.
Third-Party / Supply-Chain Risk
temp.sh, a public ephemeral file-sharing service, was used as the exfiltration staging platform; this represents a third-party hosted service that the county had no contractual visibility into, no telemetry from, and no ability to compel data removal from — consistent with NIST SP 800-161 shared-platform dependency risk where a commodity external service becomes an unmonitored exfiltration conduit outside the organization's supply-chain risk program.
Loss Exposure (illustrative)
Magnitude: High — illustrative $1.5M–$4M inclusive of confirmed $1M extortion payment, plus illustrative estimates for incident response, forensic investigation, legal counsel, notification costs, and credit monitoring for affected residents; excludes unquantifiable long-term reputational and litigation tail risk
Frequency: For a public-sector entity with MFA gaps on external-facing accounts and no exfiltration detection controls, a credential-based intrusion event of this type is plausible on an illustrative once-every-two-to-four-year recurrence basis absent remediation; with remediation, frequency drops materially
Annualized: Illustrative ALE: assuming $1.5M–$4M loss magnitude and a 0.25–0.50 annual event probability pre-remediation, illustrative annualized exposure range is approximately $375K–$2M; this range collapses significantly upon MFA enforcement and exfiltration monitoring implementation
Basis: Loss magnitude anchored to confirmed $1M payment as floor; upper range extends illustratively to account for forensic and legal costs typical of public-sector data extortion incidents of this scope; frequency derived from the attack vector's low technical barrier and the prevalence of MFA gaps across similarly sized county governments; no third-party loss database figures cited
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Exfiltration of government records including likely PII may invoke state breach-notification obligations under Ohio Rev. Code § 1347.12 and related statutes — verify with counsel.
• Bitcoin extortion payment may trigger cyber-insurance notice obligations and could implicate OFAC sanctions screening requirements depending on threat actor designation status — verify with counsel and broker before any future payment.
• Ongoing risk of public data release from unverified deletion promise may constitute a continuing breach event affecting insurance claim timing and coverage scope — verify with broker.
• Federal grant or data-sharing agreements with state or federal agencies may contain incident-reporting and data-protection clauses triggered by unauthorized exfiltration of shared records — verify with counsel.