- Two cyberattacks in May, against the City of Baltimore and accounting software firm Wolters Kluwer, show how the newest wave of malicious hacking can have significant, often unpredictable personal consequences for individuals.
- "I'm bleeding cash on a rental and storage," says a prospective Baltimore homebuyer. "I was supposed to move out by the end of the month, but have no idea if we'll be able to close. It's more than an inconvenience. It's a nightmare."
- "I'm totally backed up," says an accountant from a big-four firm. "I've never seen anything like it. It's still all we talk about. It just wiped out a week of productivity."
On May 7, accounting software company Wolters Kluwer faced a devastating malware attack, shutting off service and panicking many accountants who were racing to file their clients' tax returns by a May 15 deadline.
As CNBC reported, some accountants worried they were going to have to file returns by hand. The IRS eventually extended the deadline an unprecedented seven days.
On the same day, the city government of Baltimore was ravaged by ransomware, a type of malicious software that locks down computers until somebody pays the attacker a ransom fee. Weeks later, some services still remain down. Routine tasks such as pulling home titles in order to complete real estate sales and fetching residents' water bills, have become impossible.
These are two examples of the broad and unpredictable ripple effects of the newest cyberattacks. This unpredictability makes it fiendishly difficult to prevent and insure against such attacks.
"I think anybody that tells you now they think they know in some actuarial way either what [the] general experience is like in the future, or what the worst case can be, is kidding themselves," Warren Buffett said last year.
"Most Americans are well aware of the rampant nature of breaches in our society today," said Paul Ferrillo, a cybersecurity partner with law firm Greenberg Traurig. "What they probably don't understand is that these breaches have major secondary and tertiary effects, especially when the breach is related to municipalities or the supply chain."
This month's cyberattacks give a taste of how our daily lives and routine tasks will be inconvenienced in untold new ways by hacking.
Although Wouters Kluwer is little known outside accounting circles, its software is broadly used in the industry.
The site was down for so long that the IRS finally had to get involved, announcing May 14 that those subject to the outage include "late filed return due to CCH software outage" as the reason.
While the IRS could not provide estimates as to how much the delay would cost, May filers were given seven additional days — to May 22 — to finish their returns and pay penalties and late fees, according to the agency and accountants who said they received instructions on how to file late.
It's a longer delay than the one-day reprieve the IRS gave filers in April 2018 after a routine software outage caused havoc on IRS websites.
Wolters Kluwer said it has now restored service to its products and that it sees "no evidence" that customer data — which includes years of tax and filing data storage — has been compromised.
"We're back online, and we filed, but we're definitely still feeling it and will for weeks. I'm totally backed up," said one accountant from a big-four firm, who wished to remain anonymous because he was not authorized to speak to the press. "I've never seen anything like it. It's still all we talk about. It just wiped out a week of productivity."
In Baltimore, the technology outage shut down many critical systems. At one point, city workers tried to get around an email outage by signing up for Google's free Gmail service — but Google disabled the accounts because its automated system saw a pattern often associated with spammers. (Service was later restored.)
Among many other problems, people couldn't buy or sell homes because nobody could access computer systems used for critical steps of the process, such as detecting liens and unpaid water bills.
On Thursday, Baltimore's newly elected mayor released a complicated, honor-system-based five-step process to allow home sellers to pay liens and obtain deeds manually, even with no financial records available showing how much they owe.
The stopgap measure — and there's still no telling how long the gap will be, according to the mayor's office — was meant to offer some legal protections to home buyers stuck in limbo.
"The City will reserve the right to delay recording in situations where the risk of non-payment is determined to be unreasonable," the note from Mayor Bernard Young's office reads.
"It's a nightmare, I can't emphasize that enough. Buying a home is already stressful," said one prospective Baltimore homebuyer who wished to remain anonymous to protect his privacy. "I'm bleeding cash on a rental and storage. I was supposed to move out by the end of the month, but have no idea if we'll be able to close. It's more than an inconvenience. It's a nightmare."
Unlike technology outages, cyberattacks often destroy data and lock down hardware, requiring weeks or months of replacement activity and lots of downtime.
And they're only increasing. According to research from cybersecurity company Malwarebytes Labs, after seeing a lull in 2018, ransomware attacks have surged again and are up 500% from this time last year.
For these types of attacks, the lockouts and hassles can end when the victim pays the ransom. But frequently they don't pay up because they don't trust the hackers, don't have the funds or have ethical concerns about paying.
According to research from data security company Recorded Future, ransomware attacks have hit local governments such as Baltimore's in 48 of 50 U.S. states. Only 17% paid the ransom, leaving many more facing weeks of cleanup.
For consumers and businesses, that means one thing: Get used to costly new hassles you never expected.