Cyber Incident Victim: Saint-Martin-lez-Tatinghem
Date:
Jun 2023
Location:
France
Summary
A ransomware attack compromised the information systems of Saint-Martin-lez-Tatinghem. The incident encrypted a portion of the municipality's data, and it is probable that some personal data was stolen. The city chose not to pay the ransom. The attack primarily impacted services at the main town hall, causing email systems to be temporarily disabled. Technical teams worked to securely restore access to preserved documents, while other services like schools and libraries remained largely unaffected.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On Wednesday, June 21, 2023, the municipality of Saint-Martin-lez-Tatinghem, France, fell victim to a cyberattack identified as a ransomware (rançongiciel) incident. The malicious software functioned by blocking access to computers and files through encryption, subsequently demanding a ransom payment from the victim to restore access. The initial indication of the incident was the malfunctioning of the computer network, which prompted an immediate alert to the digital service of CAPSO, the organization managing the town's IT network. A rapid response was initiated to contain the threat; this involved isolating all machines from the network and cutting all internet access to prevent the further propagation of the virus. This containment action was executed in coordination with the Cyber Incident Response Center (CSIRT) of Hauts-de-France and the National Gendarmerie.
Technical diagnostics commenced immediately to determine the origin and full severity of the situation. Preliminary assessment confirmed that the attack had successfully encrypted only a portion of the municipality's data. The investigation, conducted by the Gendarmerie, remained ongoing to determine the precise nature of the data that had been exfiltrated. The municipality officially stated that it was probable some personal data had been stolen, which could be used for fraudulent purposes such as identity theft, attempted scams, or account hacking. In accordance with regulatory requirements, the French data protection authority, the CNIL, was formally notified of the breach.
Faced with the ransom demand, the town council, in consultation with various specialized organizations, made the deliberate decision not to pay the ransom. This choice was articulated as a principled stance against condoning such criminal activities. The declaration of this non-payment policy was made public in a press release dated Wednesday, June 28, 2023. The operational impact of the attack was significant, causing a major slowdown in municipal services. The email systems for the town hall were temporarily disabled, leading to delays in processing emails received since the date of the attack. Citizens were advised to prioritize contact via telephone or in-person visits to the town hall while the messaging service was being gradually and securely redeployed.
The impact on specific municipal services was varied. The technical services, the Maison du Rivage, and the media libraries were not impacted and continued to function as usual. The three school groups within the commune, along with the eTicket system for canteen and after-school care reservations, were also confirmed as unaffected. The animation service of the Pôle Culture, Jeunesse et Vie scolaire was expected to return to normal operation very shortly. The municipal services located at the town hall on Place Cotillon Belin were the most heavily targeted by the attack. Access to documents that had been preserved was restored progressively and in a secure manner. These services were maintained but required an adapted mode of operation due to the ongoing incident.
Public communication was a key component of the response. The municipality committed to keeping citizens informed of the situation's evolution primarily through the town's Facebook page, "Ville de Saint Martin lez Tatinghem," and its official website. A primary concern communicated to the public was the heightened risk of phishing attempts or fraudulent communications stemming from the potential data theft. Citizens were repeatedly urged to exercise the utmost vigilance regarding the reception of any suspicious emails or SMS messages. Official guidance instructed individuals not to respond to, click links within, or open attachments from suspicious emails and to delete them immediately. Changing the password of the email account used to receive the suspicious message was also strongly recommended. The government website cybermalveillance.gouv.fr was designated as the official platform for reporting any suspicious messages and for accessing recommended best practices concerning personal data breaches and essential cybersecurity measures. All municipal teams were reported as fully mobilized to restore services as quickly as possible, with the public thanked for its patience and understanding during the disruption.