Patrick Kelley, founder, interviewed by 11Alive regarding the Fulton County ransomware attack

ATLANTA — In a startling revelation that adds a new dimension to the January-announced cyberattack on Fulton County, cybersecurity expert Patrick Kelley, founder of Critical Path Security, claims to have uncovered evidence of a data breach. This development contradicts the initial assurances from Fulton County officials who, at the time of the attack's announcement, denied any knowledge of data exfiltration.

The recent clarification by county officials categorizes the cyber incident as a financially-motivated ransomware attack. However, Kelley's findings suggest a more severe compromise. He warns that iCloud data, alongside sensitive information relating to high-profile court cases, including those involving Former President Donald Trump and rapper Young Thug, may be at risk.

Kelley's urgency is palpable as he speaks about the ticking clock, hinting at an impending release of more compromised data. His discoveries, which he says were documented on a hacking website, include a range of sensitive information such as medical records, court cases (both adjudicated and pending), and a comprehensive set of usernames and passwords. According to Kelley, the initial set of leaked credentials appears to encompass all departments within Fulton County, signifying a widespread impact on anyone who has worked, lived, or conducted business in the area.

Confirming suspicions voiced by Rob Pitts, Chairman of the Fulton County Board of Commissioners, Kelley concurs that the incident is indeed a ransomware attack. He estimates a critical 24 to 36-hour window before the attackers potentially release all the data, indicating Fulton County's decision against paying the ransom.

Kelley attributes this cyber onslaught to LockBit 3, a group he describes as "impressive" in their ability to target high-value entities like municipalities, often extorting millions. He draws parallels to the notorious City of Atlanta ransomware attack from nearly six years ago, suggesting a possible learning curve for the attackers based on past incidents.

The potential release of confidential data, such as police informant identities and health records, particularly from Fulton County's HIV department, raises alarming privacy and safety concerns. This incident not only risks publicizing individuals' HIV status but also casts a shadow over the security of personal health information in government databases.

Kelley emphasizes the need for a thorough assessment by Fulton County to grasp the full extent of the impact. He advises individuals potentially affected by the breach to consider legal consultation.

In his closing remarks, Kelley highlights a critical vulnerability in this breach: the use of weak administrative passwords. He urges the adoption of robust security practices, recommending passphrases augmented with numbers, symbols, and the implementation of two-step verification.

As Fulton County grapples with the ramifications of this cyberattack, Kelley's insights serve as a stark reminder of the escalating cyber threats facing our digital landscape and the paramount importance of robust cybersecurity measures.