Cyber Incident Victim: Gondomar Municipality

The cyberattack on Gondomar Town Hall commenced in the early hours of September 27, 2023, with the initial alert sounding at 05:38. The intrusion was later characterized by the mayor, Marco Martins, as the largest cyberattack on a public institution in Portugal to date, a designation he attributed to the National Cybersecurity Centre. The attack was sophisticated and succeeded despite the system being described as robust, which typically withstood an average of twenty-one attacks per month. The primary objective of the intrusion, according to expert analysis cited by the mayor, appeared to be the paralysis of the town council's operations, aiming to stop its systems rather than solely extort money or steal data. Rumors suggested the attackers had been infiltrating the municipal system for over a year prior to the main event, though the mayor did not confirm this definitively.

Authorities were alerted immediately following the detection of the incident. The response solution involved hiring a private company linked to the Altice group to assist in recovering the encrypted data. This recovery effort was largely successful, though the council was forced to rely on a parallel system to continue serving the public in the interim. The investigation into the attack, which was ongoing at the time of reporting, indicated that the attack originated from a Russian server. The hackers issued a ransom demand totaling €750,000. The town hall did not pay the ransom for three specific reasons: first, they were advised by authorities not to pay; second, there was no guarantee that the data would be recovered upon payment; and third, as a public service entity, they could not legally initiate a public tender process to facilitate such a payment.

The immediate impact of the attack was severe and widespread system downtime. The council's operations were significantly disrupted, forcing a return to processing all business on paper. The financial cost of restoring the system was substantial, with the mayor revealing an expenditure of between €1.4 and €1.5 million already spent or planned for investments necessary for recovery. These investments included the purchase of more than 700 discs and various services aimed at reinforcing security. This figure did not account for the accumulated losses from the extended period of downtime, which the mayor stated would amount to many millions of euros. The technical recovery process was exhaustive, involving work to recover 900 computers on the network. This process required changing discs and reinstalling operating systems, software, and applications. By the time of the mayor's statements, nearly 90% of the machines had been restored to operational status. However, numerous online services remained affected and inoperable, with full normality not expected to be restored until the end of the year.

A major consequence of the attack was the compromise and exfiltration of sensitive data. According to reports, the hackers published a wide array of stolen information on the dark web, where it was exposed and offered for sale. This leaked data included highly sensitive citizen documents such as identity cards and passports. A list of City Hall investment numbers was also among the information made public. The data breach affected many projects submitted by both residents and the council itself. The crisis marked the first activation of the municipality's Relief Operations Centre, which had been inaugurated on March 25; its initial use was for a computer crisis rather than a more traditional disaster like a fire or storm. An external audit was scheduled to begin to determine responsibility for the attack and to provide more answers regarding the events of September 27. The final report on the incident was not yet complete at the time of the mayor's interview.