One year later: Report offers some details about cyberattack on Monroe County govt; 913 people had info exposed

On July 1 last year (2024), Monroe County government was shut down due to a cyberattack and it stayed down for a week.

But a report released on Tuesday (Aug. 26, 2025), more than a year after the attack, revealed that the ransomware exploit started a week and a half earlier than the government shutdown.

The report also says that files from the county’s network were obtained by the hackers. According to the data breach report submitted to the office of the Indiana Attorney General, the names, Social Security numbers and driver’s license numbers from a total of 913 people, 899 of them Indiana residents, were included in the stolen files.

According to the report, a user account was exploited on June 19, 2024 to bypass the two-factor authentication used by Monroe County government. And on the following day a county administrative account was used to create several remote desktop protocol sessions, which were used to access four network user accounts. The unauthorized activity ended on June 30, 2024, according to the report.

That was the same day that Monroe County government received an alert from CrowdStrike’s cybersecurity service about a potential security breach. According to the report, Monroe County government “immediately locked down” its computing environment and shut down the servers. Monroe County then discovered that the servers were encrypted by ransomware. The report also says that the Monroe County government found a ransom note on some devices.

Monroe County government then notified state and federal law enforcement. Independently, CrowdStrike notified the State of Indiana.

The report was written by attorneys with Mullen Coughlin LLC, and appears to be focused on establishing that Monroe County government complied with all legal requirements. The cyber forensic investigation was done by Arete Advisors LLC.

According to information provided to The B Square by the Monroe County auditor’s office, eight payments from Sept. 11, 2024 to March 13, 2025 were made to Mullen Coughlin LLC, totalling $26,488. Six payments from Aug. 22, 2024 to March 6, 2025 were made to Arete Advisors LLC, totalling $73,512.

Mullen Coughlin was hired on July 1, 2024, which then hired Arete Advisors on July 1, 2024.

According to the released report, on April 2, 2025—which was nine months after the attack—the county government notified the 913 people that their personal information had been exposed. Those people were offered a year of free credit monitoring. The Indiana Attorney General’s office gave notification on June 3 this year saying that it was closing its investigation without any further action.

Monroe County government did not respond to a B Square records request made on July 8, 2024 for a copy of the communications sent by Monroe County government to the Indiana Office of Technology or law enforcement agencies. Under state law, the Indiana Office of Technology (IOT) is the agency to which local units have to report cybersecurity incidents within 48 hours.

After the release of the Mullen Coughlin report on Tuesday, Monroe County government has responded to the following questions from The B Square. [B Square questions in bold. Responses from Monroe County are in italics]:

1. Re: ransom notes. Did Monroe County refuse outright to pay, or were there negotiations? If no ransom was paid, how were systems restored?
   There were negotiations, but no ransom was paid. Our crack Technical Services Department has planned for these type of events, to allow for minimum disruptions.
2. How many and what kinds of files were actually taken?Beyond names and Social Security numbers and driver’s license numbers, were any law-enforcement or health records accessed?
   Files that were taken were on virtual servers, no law-enforcement files, including Jail files were exposed. Our health department and health clinic files were not exposed.
3. How was the two-factor authentication bypassed? Were there known vulnerabilities in the county’s setup?
   County utilizes best practices and standards set in place by Federal, State and entities such as CISA, MS-ISAC, in addition to recommendations made by cybersecurity specialists with Indiana and Purdue Universities. Vulnerabilities are continually being discovered in the wild by manufacturers, security researchers, and ethical hackers. We receive reports from various Federal and State agencies outlining newly discovered vulnerabilities on a weekly basis and apply remediation steps in our environment when applicable.
4. Why did it take until April 2025 to notify affected people, when the attack ended in June 2024?
   The County was working diligently with the insurance-provided Counsel to determine if information was exposed that required notification. Each state has different standards, and the County needed to comply with the laws in their current jurisdiction. In addition, many of the exposed files that ultimately led to notification were very old, and the County had to attempt to attain a current address for those individuals.
5. What concrete steps are being taken to ensure county systems aren’t compromised again?
   See response to #3. Additionally, we’ve implemented quarterly phishing and social engineering training. As well as annual cyber security training for all employees. Federal and State security services have also been leveraged.
6. Does the county’s new website, hosted through the Indiana state government, help ensure better security? Or is the new website domain hosting completely unrelated to the kind of cybersecurity incident that Monroe County government experienced?
   The new website works alongside our upcoming domain change to IN.GOV also provided by the State and was in no way related to the breach. In addition to increased manageability, the hosting change came at a reduced operating cost as compared to our previous site.