FBI agent warns of cyber crimes at Hempfield event

Companies and private people should never pay ransoms demanded by computer hackers who use malware to disable a computer or entire system, an FBI agent in charge of cyber security at the Pittsburgh bureau said Thursday.

“If you pay ransom, you may open up your industry to paying more ransom,” said FBI Supervisory Special Agent Michael McKeown, who talked about cybercrime and cyber security before about 70 people at a program at the Ramada Hotel & Conference Center in Hempfield. Those who pay ransom typically get an an encryption tool that does not unlock the entire computer, making victims susceptible to more ransom attacks.

“If you pay, they might be back. If you pay once, they figure ‘why not pay again,’” said McKeown, who leads a cyber squad that investigates cyber national security matters and cyber-criminal matters.

Cyber attacks originate from countries around world, such as Eastern Europe, Asia and Africa, McKeown said.

The Westmoreland County Housing Authority’s computer system was hacked in July 2018 by an unknown cyber criminal demanding $40 million, but the authority contacted the FBI and did not pay the ransom, said Michael Washowich, authority executive director.

It was important to have a plan in place detailing the response to a ransomware, Washowich said.

“You can prepare all you want … but you can’t be assured it will protect you,” Washowich said.

The hacking of business emails, particularly of those in a company who control the money, is a big problem, McKeown said. Cyber criminals seek access to 401K accounts and payroll, then siphon money from the victim through international bank wires. Cyber criminals look to hack the emails of company officials such as the CEO and chief financial officer, then divert payment for legitimate services into their accounts by changing bank routing numbers and account numbers, McKeown said.

If they’re successful, “there goes a million dollars,” McKeown said.

Companies need to develop a plan for responding to a cyber attack, said Mark Parker, risk manager and insurance adviser for First Commonwealth Insurance Agency, a subsidiary of Indiana-based First Commonwealth Financial Corp. A company must determine how to notify customers that their private data has been compromised. Some states require the company to pay for their customers’ credit monitoring, said Parker, whose company sponsored the program.

When cyber crime hits a company, research has shown that “one-third of their clients walk out of the door,” which means a 33% drop in revenue, Parker said.

Information technology security “is a process, not just a project” to be completed, said Paul Grieggs, executive director of information technology security at Indiana University of Pennsylvania.

In the business world, they are never finished with updating and improving IT security, Grieggs said.

“The threats are always changing. They only need to be right one time. We need to be right all of the time,” Grieggs said.

Cyber criminals have stolen an estimated $11.3 billion in the past 12 months, according to a 2018 cyber safety report from Symantec Corp. A survey of 1,000 adults last year found that 41 percent of those responding to an online survey were victims of cyber crime in the past year.

McKeown urged those who have been victims of cyber crime, to report the incident to the FBI’s Internet Crime Complaint Center.